Skip to main content

Labview CVE-2026-32863

| EUVDEUVD-2026-19906 HIGH
Out-of-bounds Read (CWE-125)
2026-04-07 NI
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
23.0.0,24.3.6,26.1.1
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19906
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:53 nvd
HIGH 8.5

DescriptionCVE.org

There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

AnalysisAI

Memory corruption in NI LabVIEW 26.1.0 and earlier allows local attackers to execute arbitrary code or disclose sensitive information via maliciously crafted VI files. The vulnerability stems from an out-of-bounds read in sentry_transaction_context_set_operation(), requiring user interaction to open a specially crafted file. CVSS 8.5 (High) with local attack vector and low complexity. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.

Technical ContextAI

The vulnerability resides in LabVIEW's sentry_transaction_context_set_operation() function, which performs inadequate bounds checking when processing VI (Virtual Instrument) files. CWE-125 classification indicates an out-of-bounds read condition, where the application reads data past the end of an allocated buffer. LabVIEW VI files are proprietary binary formats used for graphical programming workflows in test, measurement, and control systems. When parsing malformed VI files, the vulnerable function attempts to read memory outside allocated regions, potentially exposing sensitive data from adjacent memory or causing control flow corruption leading to code execution. This affects NI LabVIEW products identified as cpe:2.3:a:ni:labview:*:*:*:*:*:*:*:* through version 26.1.0 (2026 Q1 release).

RemediationAI

Organizations should immediately review the NI security advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html for patch availability and specific upgrade instructions. While exact patched version numbers are not specified in available data, NI typically releases updates through their software distribution channels. Until patches are applied, implement defense-in-depth measures including restricting execution of untrusted VI files, deploying application whitelisting to prevent unauthorized code execution, training users to avoid opening VI files from untrusted sources, and monitoring file execution activities in LabVIEW environments. Consider isolating LabVIEW systems from general network access where feasible to limit attack surface.

CVE-2017-2775 HIGH POC
7.5 Mar 31

An exploitable memory corruption vulnerability exists in the LvVariantUnflatten functionality in 64-bit versions of LabV

CVE-2017-2779 HIGH POC
7.5 Sep 05

An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW 2017, LabVIEW

CVE-2013-5022 CRITICAL
10.0 Aug 06

Absolute path traversal vulnerability in the 3D Graph ActiveX control in cw3dgrph.ocx in National Instruments LabWindows

CVE-2013-5021 CRITICAL
9.3 Aug 06

Multiple absolute path traversal vulnerabilities in National Instruments cwui.ocx, as used in National Instruments LabWi

CVE-2025-2632 HIGH
8.5 Apr 09

Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW reading CPU info from cache that may res

CVE-2025-2631 HIGH
8.5 Apr 09

Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW in InitCPUInformation() that may result

CVE-2026-32864 HIGH
8.5 Apr 07

Memory corruption via out-of-bounds read in NI LabVIEW's mgcore_SH_25_3!aligned_free() function enables information disc

CVE-2026-32862 HIGH
8.5 Apr 07

Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or informat

CVE-2026-32861 HIGH
8.5 Apr 07

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when

CVE-2026-32860 HIGH
8.5 Apr 07

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB

CVE-2024-10496 HIGH
8.4 Dec 10

An out of bounds read due to improper input validation in BuildFontMap in fontmgr.cpp in NI LabVIEW may disclose informa

CVE-2024-10495 HIGH
8.4 Dec 10

An out of bounds read due to improper input validation when loading the font table in fontmgr.cpp in NI LabVIEW may disc

Share

CVE-2026-32863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy