There are three out of bounds read vulnerabilities due to improper input validation that exist in NI LabVIEW that may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. These vulnerabilities affect NI LabVIEW 2024 Q3 and prior versions.
These vulnerabilities are identified as:
NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. Refer to the Affected Products section for information on upgrading these products.
CVE-2024-10494 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-10495 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-10496 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Michael Heinzl working with CISA for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| LabVIEW 2024 | Upgrade to LabVIEW 2024 Q3 Patch 2 or later from NI Package Manager or Software Downloads |
| LabVIEW 2023 | Upgrade to LabVIEW 2023 Q3 Patch 5 or later from NI Package Manager or Software Downloads |
| LabVIEW 2022 | Upgrade to LabVIEW 2022 Q3 Patch 4 or later from NI Package Manager or Software Downloads |
| LabVIEW 2021 and prior | Not in Mainstream Support |