{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/labview/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32864"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32864","labview","memory-corruption","out-of-bounds-read"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA memory corruption vulnerability, identified as CVE-2026-32864, exists within National Instruments (NI) LabVIEW software. The flaw is triggered by an out-of-bounds read within the \u003ccode\u003emgcore_SH_25_3!aligned_free()\u003c/code\u003e function. An attacker can exploit this vulnerability by enticing a user to open a specially crafted VI (Virtual Instrument) file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or arbitrary code execution, granting the attacker control over the affected system. This vulnerability affects NI LabVIEW versions 2026 Q1 (26.1.0) and all prior versions, making a wide range of LabVIEW installations susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious LabVIEW VI file designed to trigger the out-of-bounds read in \u003ccode\u003emgcore_SH_25_3!aligned_free()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses social engineering to convince a victim to open the specially crafted VI file.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious VI file using a vulnerable version of NI LabVIEW (2026 Q1 (26.1.0) and prior).\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to process the malformed data within the VI file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emgcore_SH_25_3!aligned_free()\u003c/code\u003e function is called during the VI file processing.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read occurs when \u003ccode\u003ealigned_free()\u003c/code\u003e attempts to access memory outside of allocated bounds.\u003c/li\u003e\n\u003cli\u003eDepending on the memory layout, this can lead to information disclosure by leaking memory contents, or arbitrary code execution by overwriting critical data.\u003c/li\u003e\n\u003cli\u003eIf arbitrary code execution is achieved, the attacker can then install malware, exfiltrate data, or perform other malicious actions on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32864 can have serious consequences. Information disclosure could expose sensitive data processed by LabVIEW, such as measurement data, control algorithms, or proprietary code. Arbitrary code execution would allow an attacker to gain complete control over the affected system, enabling them to install malware, steal data, or disrupt operations. The vulnerability affects a broad range of LabVIEW users, potentially impacting industrial control systems, research and development environments, and other critical applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by National Instruments for CVE-2026-32864 to remediate the out-of-bounds read vulnerability. Refer to the NI security advisory for specific instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLabVIEW_Suspicious_VI_File_Open\u003c/code\u003e to detect suspicious LabVIEW VI files being opened based on file path or other attributes.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eLabVIEW.exe\u003c/code\u003e spawning unusual child processes or accessing unusual network resources after a VI file has been opened, which could indicate successful code execution (see \u003ccode\u003eLabVIEW_Suspicious_Child_Process\u003c/code\u003e rule).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted VI files and emphasize the importance of verifying the source of any VI file before opening it.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:00:00Z","date_published":"2026-04-08T12:00:00Z","id":"/briefs/2026-04-labview-oob-read/","summary":"A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds read in mgcore_SH_25_3!aligned_free(), potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted VI file.","title":"NI LabVIEW Out-of-Bounds Read Vulnerability (CVE-2026-32864)","url":"https://feed.craftedsignal.io/briefs/2026-04-labview-oob-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32863"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32863","labview","out-of-bounds read","memory corruption","arbitrary code execution","information disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical memory corruption vulnerability (CVE-2026-32863) exists in National Instruments (NI) LabVIEW, specifically within the \u003ccode\u003esentry_transaction_context_set_operation()\u003c/code\u003e function. This out-of-bounds read vulnerability can be exploited by an attacker who successfully convinces a LabVIEW user to open a malicious, specially crafted VI file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or even allow for arbitrary code execution, granting the attacker control over the affected system. The vulnerability affects NI LabVIEW 2026 Q1 (version 26.1.0) and all prior versions, posing a risk to a wide range of users in industrial, scientific, and engineering sectors that rely on LabVIEW for automation and data acquisition.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious VI File:\u003c/strong\u003e The attacker crafts a malicious VI (Virtual Instrument) file designed to trigger the out-of-bounds read in \u003ccode\u003esentry_transaction_context_set_operation()\u003c/code\u003e. This likely involves manipulating the structure of the VI file to contain invalid or unexpected data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering:\u003c/strong\u003e The attacker uses social engineering techniques to convince a LabVIEW user to open the malicious VI file. This could involve sending the file as an email attachment, hosting it on a website, or any other method of tricking the user into opening the file within LabVIEW.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVI File Opened:\u003c/strong\u003e The user opens the malicious VI file using NI LabVIEW (version 26.1.0 or earlier).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003esentry_transaction_context_set_operation()\u003c/code\u003e Triggered:\u003c/strong\u003e When LabVIEW attempts to process the crafted VI file, the \u003ccode\u003esentry_transaction_context_set_operation()\u003c/code\u003e function is called with the manipulated data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOut-of-Bounds Read:\u003c/strong\u003e The vulnerability in \u003ccode\u003esentry_transaction_context_set_operation()\u003c/code\u003e is triggered, leading to an out-of-bounds read. This could involve reading memory outside of the intended buffer or data structure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure or Code Execution:\u003c/strong\u003e The out-of-bounds read leads to either information disclosure (leaking sensitive data from memory) or arbitrary code execution (allowing the attacker to execute malicious code on the system), depending on how the memory corruption is handled.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Lateral Movement (If Code Execution):\u003c/strong\u003e If the attacker achieves code execution, they may attempt to establish persistence on the system (e.g., by creating a scheduled task or modifying startup files) and/or move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objective:\u003c/strong\u003e The attacker leverages the compromised system to achieve their ultimate objective, which could include stealing data, disrupting operations, or using the system as a launchpad for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32863 can have severe consequences. Information disclosure could expose sensitive data related to industrial processes, research data, or proprietary algorithms. Arbitrary code execution would allow attackers to gain full control over the affected LabVIEW system, potentially disrupting critical operations, manipulating data, or causing physical damage in automated systems. While the exact number of victims is unknown, the wide use of NI LabVIEW across various industries (manufacturing, aerospace, research, etc.) means that a successful, widespread attack could have a significant impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update NI LabVIEW to a version that is not affected by CVE-2026-32863, as detailed in the NI security advisory (\u003ca href=\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html\"\u003ehttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate LabVIEW users about the risks of opening untrusted VI files and the potential for social engineering attacks.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for LabVIEW (\u003ccode\u003eLabVIEW.exe\u003c/code\u003e) spawning unusual child processes, as this could indicate successful code execution following exploitation. Deploy a Sigma rule such as the one provided to detect this behavior.\u003c/li\u003e\n\u003cli\u003eEnable and review process execution logs for \u003ccode\u003eLabVIEW.exe\u003c/code\u003e and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:26Z","date_published":"2026-04-07T20:16:26Z","id":"/briefs/2026-04-ni-labview-oob-read/","summary":"A memory corruption vulnerability due to an out-of-bounds read in NI LabVIEW's `sentry_transaction_context_set_operation()` function could lead to information disclosure or arbitrary code execution by opening a specially crafted VI file.","title":"NI LabVIEW Out-of-Bounds Read Vulnerability (CVE-2026-32863)","url":"https://feed.craftedsignal.io/briefs/2026-04-ni-labview-oob-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32860"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32860","labview","memory corruption","out-of-bounds write","lvlib"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32860 is a vulnerability affecting NI LabVIEW versions 2026 Q1 (26.1.0) and prior. The vulnerability stems from an out-of-bounds write condition encountered during the loading of a corrupted LVLIB (LabVIEW Library) file. An attacker could exploit this flaw by crafting a malicious .lvlib file and enticing a user to open it within LabVIEW. Successful exploitation could lead to memory corruption, potentially enabling information disclosure or the execution of arbitrary code within the context of the LabVIEW application. This poses a significant risk to systems running vulnerable versions of LabVIEW, particularly those handling or processing potentially untrusted LVLIB files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious .lvlib file containing corrupted data designed to trigger the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eThe attacker uses social engineering or other means to convince a victim to open the malicious .lvlib file in NI LabVIEW.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .lvlib file within NI LabVIEW.\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to parse the corrupted data within the .lvlib file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the out-of-bounds write vulnerability is triggered due to the malformed data.\u003c/li\u003e\n\u003cli\u003eMemory corruption occurs, potentially overwriting critical program data or code.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the attacker may achieve information disclosure by reading sensitive data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may achieve arbitrary code execution by overwriting code pointers or injecting malicious code into memory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32860 can lead to both information disclosure and arbitrary code execution on affected systems. An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data processed or stored by LabVIEW, or completely compromise the affected system by executing malicious code. The impact is significant, especially in industrial control systems and other critical infrastructure environments where LabVIEW is commonly used, as it could lead to disruption of services, data breaches, or even physical damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by National Instruments as described in the advisory at \u003ca href=\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\"\u003ehttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\u003c/a\u003e to remediate CVE-2026-32860.\u003c/li\u003e\n\u003cli\u003eImplement strict file handling procedures and user awareness training to prevent users from opening untrusted .lvlib files received from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unusual or unexpected activity originating from LabVIEW processes, which could indicate successful exploitation of this or other vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:24Z","date_published":"2026-04-07T20:16:24Z","id":"/briefs/2026-04-labview-lvlib-vuln/","summary":"A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVLIB file, potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvlib file.","title":"NI LabVIEW LVLIB File Parsing Memory Corruption Vulnerability (CVE-2026-32860)","url":"https://feed.craftedsignal.io/briefs/2026-04-labview-lvlib-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32861"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32861","labview","out-of-bounds write","memory corruption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA memory corruption vulnerability has been identified in NI LabVIEW versions 2026 Q1 (26.1.0) and prior. This vulnerability, tracked as CVE-2026-32861, stems from an out-of-bounds write that occurs when the software attempts to load a malformed LVCLASS file. An attacker could exploit this vulnerability by crafting a malicious .lvclass file and convincing a user to open it within LabVIEW. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution or disclose sensitive information from the affected system. This poses a significant risk to organizations using LabVIEW for critical applications, as it could lead to system compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .lvclass file containing an out-of-bounds write payload.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted .lvclass file to the victim via social engineering or other delivery methods.\u003c/li\u003e\n\u003cli\u003eThe victim, using a vulnerable version of NI LabVIEW, opens the malicious .lvclass file.\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to parse the LVCLASS file, triggering the out-of-bounds write vulnerability.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts memory, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eIf the overwritten memory contains attacker-controlled code, it could lead to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the LabVIEW process and potentially the entire system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration, installing backdoors, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32861 can lead to information disclosure and arbitrary code execution on systems running vulnerable versions of NI LabVIEW. This could allow an attacker to steal sensitive data, install malware, or gain complete control of the affected system. The impact of this vulnerability is significant, especially for organizations using LabVIEW in critical infrastructure or industrial control systems, potentially leading to operational disruption, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by National Instruments to address CVE-2026-32861 on all systems running NI LabVIEW 2026 Q1 (26.1.0) and prior versions. Refer to the NI advisory for download links: \u003ca href=\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\"\u003ehttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the risks of opening files from untrusted sources to mitigate the initial access vector.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousLvclassFileOpen\u003c/code\u003e to detect suspicious LabVIEW process opening LVCLASS files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:24Z","date_published":"2026-04-07T20:16:24Z","id":"/briefs/2026-04-labview-lvclass-oob-write/","summary":"A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVCLASS file (CVE-2026-32861), potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvclass file.","title":"NI LabVIEW LVCLASS File Parsing Out-of-Bounds Write Vulnerability (CVE-2026-32861)","url":"https://feed.craftedsignal.io/briefs/2026-04-labview-lvclass-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Labview","version":"https://jsonfeed.org/version/1.1"}