https://feed.craftedsignal.io/tags/labview/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 08 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-labview-oob-read/Wed, 08 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-labview-oob-read/A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds read in mgcore_SH_25_3!aligned_free(), potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted VI file.A memory corruption vulnerability, identified as CVE-2026-32864, exists within National Instruments (NI) LabVIEW software. The flaw is triggered by an out-of-bounds read within the mgcore_SH_25_3!aligned_free() function. An attacker can exploit this vulnerability by enticing a user to open a specially crafted VI (Virtual Instrument) file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or arbitrary code execution, granting the attacker control over the affected system. This vulnerability affects NI LabVIEW versions 2026 Q1 (26.1.0) and all prior versions, making a wide range of LabVIEW installations susceptible.

Attack Chain

1. An attacker crafts a malicious LabVIEW VI file designed to trigger the out-of-bounds read in mgcore_SH_25_3!aligned_free().
2. The attacker uses social engineering to convince a victim to open the specially crafted VI file.
3. The victim opens the malicious VI file using a vulnerable version of NI LabVIEW (2026 Q1 (26.1.0) and prior).
4. LabVIEW attempts to process the malformed data within the VI file.
5. The mgcore_SH_25_3!aligned_free() function is called during the VI file processing.
6. The out-of-bounds read occurs when aligned_free() attempts to access memory outside of allocated bounds.
7. Depending on the memory layout, this can lead to information disclosure by leaking memory contents, or arbitrary code execution by overwriting critical data.
8. If arbitrary code execution is achieved, the attacker can then install malware, exfiltrate data, or perform other malicious actions on the compromised system.

Impact

Successful exploitation of CVE-2026-32864 can have serious consequences. Information disclosure could expose sensitive data processed by LabVIEW, such as measurement data, control algorithms, or proprietary code. Arbitrary code execution would allow an attacker to gain complete control over the affected system, enabling them to install malware, steal data, or disrupt operations. The vulnerability affects a broad range of LabVIEW users, potentially impacting industrial control systems, research and development environments, and other critical applications.

Recommendation

• Apply the patch provided by National Instruments for CVE-2026-32864 to remediate the out-of-bounds read vulnerability. Refer to the NI security advisory for specific instructions.
• Deploy the Sigma rule LabVIEW_Suspicious_VI_File_Open to detect suspicious LabVIEW VI files being opened based on file path or other attributes.
• Monitor process creation events for LabVIEW.exe spawning unusual child processes or accessing unusual network resources after a VI file has been opened, which could indicate successful code execution (see LabVIEW_Suspicious_Child_Process rule).
• Educate users about the risks of opening untrusted VI files and emphasize the importance of verifying the source of any VI file before opening it.

]]>highadvisorycve-2026-32864labviewmemory-corruptionout-of-bounds-readhttps://feed.craftedsignal.io/briefs/2026-04-ni-labview-oob-read/Tue, 07 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ni-labview-oob-read/A memory corruption vulnerability due to an out-of-bounds read in NI LabVIEW's `sentry_transaction_context_set_operation()` function could lead to information disclosure or arbitrary code execution by opening a specially crafted VI file.A critical memory corruption vulnerability (CVE-2026-32863) exists in National Instruments (NI) LabVIEW, specifically within the sentry_transaction_context_set_operation() function. This out-of-bounds read vulnerability can be exploited by an attacker who successfully convinces a LabVIEW user to open a malicious, specially crafted VI file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or even allow for arbitrary code execution, granting the attacker control over the affected system. The vulnerability affects NI LabVIEW 2026 Q1 (version 26.1.0) and all prior versions, posing a risk to a wide range of users in industrial, scientific, and engineering sectors that rely on LabVIEW for automation and data acquisition.

Attack Chain

1. Craft Malicious VI File: The attacker crafts a malicious VI (Virtual Instrument) file designed to trigger the out-of-bounds read in sentry_transaction_context_set_operation(). This likely involves manipulating the structure of the VI file to contain invalid or unexpected data.
2. Social Engineering: The attacker uses social engineering techniques to convince a LabVIEW user to open the malicious VI file. This could involve sending the file as an email attachment, hosting it on a website, or any other method of tricking the user into opening the file within LabVIEW.
3. VI File Opened: The user opens the malicious VI file using NI LabVIEW (version 26.1.0 or earlier).
4. sentry_transaction_context_set_operation() Triggered: When LabVIEW attempts to process the crafted VI file, the sentry_transaction_context_set_operation() function is called with the manipulated data.
5. Out-of-Bounds Read: The vulnerability in sentry_transaction_context_set_operation() is triggered, leading to an out-of-bounds read. This could involve reading memory outside of the intended buffer or data structure.
6. Information Disclosure or Code Execution: The out-of-bounds read leads to either information disclosure (leaking sensitive data from memory) or arbitrary code execution (allowing the attacker to execute malicious code on the system), depending on how the memory corruption is handled.
7. Persistence/Lateral Movement (If Code Execution): If the attacker achieves code execution, they may attempt to establish persistence on the system (e.g., by creating a scheduled task or modifying startup files) and/or move laterally to other systems on the network.
8. Achieve Objective: The attacker leverages the compromised system to achieve their ultimate objective, which could include stealing data, disrupting operations, or using the system as a launchpad for further attacks.

Impact

Successful exploitation of CVE-2026-32863 can have severe consequences. Information disclosure could expose sensitive data related to industrial processes, research data, or proprietary algorithms. Arbitrary code execution would allow attackers to gain full control over the affected LabVIEW system, potentially disrupting critical operations, manipulating data, or causing physical damage in automated systems. While the exact number of victims is unknown, the wide use of NI LabVIEW across various industries (manufacturing, aerospace, research, etc.) means that a successful, widespread attack could have a significant impact.

Recommendation

• Immediately update NI LabVIEW to a version that is not affected by CVE-2026-32863, as detailed in the NI security advisory (https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html).
• Implement user awareness training to educate LabVIEW users about the risks of opening untrusted VI files and the potential for social engineering attacks.
• Monitor process creation events for LabVIEW (LabVIEW.exe) spawning unusual child processes, as this could indicate successful code execution following exploitation. Deploy a Sigma rule such as the one provided to detect this behavior.
• Enable and review process execution logs for LabVIEW.exe and related processes.

]]>highadvisorycve-2026-32863labviewout-of-bounds readmemory corruptionarbitrary code executioninformation disclosurehttps://feed.craftedsignal.io/briefs/2026-04-labview-lvlib-vuln/Tue, 07 Apr 2026 20:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-labview-lvlib-vuln/A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVLIB file, potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvlib file.CVE-2026-32860 is a vulnerability affecting NI LabVIEW versions 2026 Q1 (26.1.0) and prior. The vulnerability stems from an out-of-bounds write condition encountered during the loading of a corrupted LVLIB (LabVIEW Library) file. An attacker could exploit this flaw by crafting a malicious .lvlib file and enticing a user to open it within LabVIEW. Successful exploitation could lead to memory corruption, potentially enabling information disclosure or the execution of arbitrary code within the context of the LabVIEW application. This poses a significant risk to systems running vulnerable versions of LabVIEW, particularly those handling or processing potentially untrusted LVLIB files.

Attack Chain

1. Attacker crafts a malicious .lvlib file containing corrupted data designed to trigger the out-of-bounds write.
2. The attacker uses social engineering or other means to convince a victim to open the malicious .lvlib file in NI LabVIEW.
3. The victim opens the .lvlib file within NI LabVIEW.
4. LabVIEW attempts to parse the corrupted data within the .lvlib file.
5. During the parsing process, the out-of-bounds write vulnerability is triggered due to the malformed data.
6. Memory corruption occurs, potentially overwriting critical program data or code.
7. Depending on the overwritten memory, the attacker may achieve information disclosure by reading sensitive data.
8. Alternatively, the attacker may achieve arbitrary code execution by overwriting code pointers or injecting malicious code into memory.

Impact

Successful exploitation of CVE-2026-32860 can lead to both information disclosure and arbitrary code execution on affected systems. An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data processed or stored by LabVIEW, or completely compromise the affected system by executing malicious code. The impact is significant, especially in industrial control systems and other critical infrastructure environments where LabVIEW is commonly used, as it could lead to disruption of services, data breaches, or even physical damage.

Recommendation

• Apply the security patch provided by National Instruments as described in the advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html to remediate CVE-2026-32860.
• Implement strict file handling procedures and user awareness training to prevent users from opening untrusted .lvlib files received from external sources.
• Monitor process execution for unusual or unexpected activity originating from LabVIEW processes, which could indicate successful exploitation of this or other vulnerabilities.

]]>highadvisorycve-2026-32860labviewmemory corruptionout-of-bounds writelvlibhttps://feed.craftedsignal.io/briefs/2026-04-labview-lvclass-oob-write/Tue, 07 Apr 2026 20:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-labview-lvclass-oob-write/A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVCLASS file (CVE-2026-32861), potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvclass file.A memory corruption vulnerability has been identified in NI LabVIEW versions 2026 Q1 (26.1.0) and prior. This vulnerability, tracked as CVE-2026-32861, stems from an out-of-bounds write that occurs when the software attempts to load a malformed LVCLASS file. An attacker could exploit this vulnerability by crafting a malicious .lvclass file and convincing a user to open it within LabVIEW. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution or disclose sensitive information from the affected system. This poses a significant risk to organizations using LabVIEW for critical applications, as it could lead to system compromise and data breaches.

Attack Chain

1. The attacker crafts a malicious .lvclass file containing an out-of-bounds write payload.
2. The attacker delivers the crafted .lvclass file to the victim via social engineering or other delivery methods.
3. The victim, using a vulnerable version of NI LabVIEW, opens the malicious .lvclass file.
4. LabVIEW attempts to parse the LVCLASS file, triggering the out-of-bounds write vulnerability.
5. The out-of-bounds write corrupts memory, potentially overwriting critical data structures or code.
6. If the overwritten memory contains attacker-controlled code, it could lead to arbitrary code execution.
7. The attacker gains control of the LabVIEW process and potentially the entire system.
8. The attacker performs malicious actions, such as data exfiltration, installing backdoors, or further compromising the system.

Impact

Successful exploitation of CVE-2026-32861 can lead to information disclosure and arbitrary code execution on systems running vulnerable versions of NI LabVIEW. This could allow an attacker to steal sensitive data, install malware, or gain complete control of the affected system. The impact of this vulnerability is significant, especially for organizations using LabVIEW in critical infrastructure or industrial control systems, potentially leading to operational disruption, financial loss, and reputational damage.

Recommendation

• Apply the security patch provided by National Instruments to address CVE-2026-32861 on all systems running NI LabVIEW 2026 Q1 (26.1.0) and prior versions. Refer to the NI advisory for download links: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html.
• Implement user awareness training to educate users about the risks of opening files from untrusted sources to mitigate the initial access vector.
• Deploy the Sigma rule DetectSuspiciousLvclassFileOpen to detect suspicious LabVIEW process opening LVCLASS files.

]]>highadvisorycve-2026-32861labviewout-of-bounds writememory corruption