Memory Corruption Issues Due to Improper Length Checks in LabVIEW

Overview

Memory corruption issues due to improper length checks in LabVIEW may disclose information or result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted VI.  This vulnerability affects LabVIEW 2024 Q1 and prior versions.

 

These vulnerabilities are identified as CVE-2024-4080 and CVE-2024-4081.

Contents

Mitigation Guidance

NI strongly recommends patching the affected software to mitigate this vulnerability.  Refer to the Affected Products section to download the update.  

Affected Products

 

CVSS Score

CVE-2024-4080– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-4081– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank Michael Heinzl working with CISA for reporting this issue and working with us on coordinated disclosure.

Additional Resources

Product VersionMitigation
LabVIEW 2024 Q1Upgrade to LabVIEW 2024 Q3 or later from NI Package Manager or Software Downloads   
LabVIEW 2023Install LabVIEW 2023 Q3 Patch 3 or later from NI Package Manager or Software Downloads
LabVIEW 2022Install LabVIEW 2022 Q3 Patch 1 or later from NI Package Manager or Software Downloads
LabVIEW 2021Install LabVIEW 2021 SP1 f2 or later from NI Package Manager or Software Downloads
LabVIEW 2020 and priorNo longer in Mainstream Support

Was this information helpful?

Yes

No