Memory corruption issues due to improper length checks in LabVIEW may disclose information or result in arbitrary code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.
These vulnerabilities are identified as CVE-2024-4080 and CVE-2024-4081.
NI strongly recommends patching the affected software to mitigate this vulnerability. Refer to the Affected Products section to download the update.
CVE-2024-4080– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-4081– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Michael Heinzl working with CISA for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| LabVIEW 2024 Q1 | Upgrade to LabVIEW 2024 Q3 or later from NI Package Manager or Software Downloads |
| LabVIEW 2023 | Install LabVIEW 2023 Q3 Patch 3 or later from NI Package Manager or Software Downloads |
| LabVIEW 2022 | Install LabVIEW 2022 Q3 Patch 1 or later from NI Package Manager or Software Downloads |
| LabVIEW 2021 | Install LabVIEW 2021 SP1 f2 or later from NI Package Manager or Software Downloads |
| LabVIEW 2020 and prior | No longer in Mainstream Support |