Platform
windows
Component
ni-labview
Fixed in
23.0.0
23.3.9
24.3.6
25.3.4
26.1.1
CVE-2026-32860 describes a memory corruption vulnerability affecting NI LabVIEW. This flaw stems from an out-of-bounds write triggered when a corrupted LVLIB file is loaded, potentially allowing an attacker to achieve information disclosure or even arbitrary code execution. The vulnerability impacts versions 0.0.0 through 26.1.1 of NI LabVIEW, and a patch is available in version 26.1.1.
Successful exploitation of CVE-2026-32860 requires an attacker to trick a user into opening a specially crafted .lvlib file. The out-of-bounds write can corrupt memory, potentially allowing the attacker to read sensitive data from the system or execute arbitrary code. The impact could range from data theft to complete system compromise, depending on the attacker's capabilities and the privileges of the user opening the malicious file. While no direct precedent is immediately apparent, memory corruption vulnerabilities frequently lead to remote code execution, similar to other vulnerabilities affecting complex software packages.
CVE-2026-32860 was published on 2026-04-07. Its severity is rated HIGH (CVSS 7.8). As of this writing, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the potential for arbitrary code execution warrants careful attention and prompt patching.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32860 is to upgrade to NI LabVIEW version 26.1.1 or later, which contains the fix. If upgrading is not immediately feasible, exercise extreme caution when opening LVLIB files from untrusted sources. Consider implementing file type validation and strict access controls to limit user privileges and prevent unauthorized file execution. While a WAF is unlikely to be effective here, monitoring for unusual file access patterns and suspicious LVLIB file creation could provide early warning signs. After upgrading, confirm the fix by attempting to load a known malicious LVLIB file (if available from trusted sources) and verifying that the application does not crash or exhibit unexpected behavior.
Update to NI LabVIEW version 26.1.1 or later to mitigate the vulnerability. The update corrects an out-of-bounds write error when loading corrupted lvlib files, preventing potential information disclosure or arbitrary code execution. Download the update from the NI support website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32860 is a HIGH severity memory corruption vulnerability in NI LabVIEW versions 0.0.0–26.1.1, allowing potential information disclosure or arbitrary code execution via a corrupted .lvlib file.
If you are using NI LabVIEW versions 0.0.0 through 26.1.1, you are potentially affected by this vulnerability. Upgrade to 26.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to NI LabVIEW version 26.1.1 or a later version that includes the security patch.
As of the current date, there is no confirmed evidence of active exploitation of CVE-2026-32860, but the potential for code execution warrants prompt patching.
Please refer to the National Instruments security advisory page for the most up-to-date information and official guidance regarding CVE-2026-32860.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.