CVE-2024-10494 NI CVE debrief

Who should care

Organizations using National Instruments LabVIEW for test, measurement, and control applications, particularly in industrial and research environments. System administrators maintaining LabVIEW deployments across engineering workstations and HMI systems. Security teams responsible for industrial control system asset protection.

Technical summary

The vulnerability resides in the HeapObjMapImpl function, where an out-of-bounds read condition exists. This type of memory safety vulnerability typically occurs when software reads data beyond the bounds of allocated memory buffers. Successful exploitation may result in information disclosure through memory content exposure, or arbitrary code execution if the read can be leveraged to influence program control flow. The CVSS 3.1 vector indicates local attack vector with low attack complexity, no privileges required, but user interaction required. The confidentiality, integrity, and availability impacts are all rated HIGH.

Defensive priority

high

Recommended defensive actions

• Upgrade LabVIEW 2024 installations to Q3 Patch 2 or later via NI Package Manager
• Upgrade LabVIEW 2023 installations to Q3 Patch 5 or later via NI Package Manager
• Upgrade LabVIEW 2022 installations to Q3 Patch 4 or later via NI Package Manager
• Replace LabVIEW 2021 and earlier end-of-life versions with supported releases
• Apply defense-in-depth controls for systems where immediate patching is not feasible
• Monitor CISA ICS advisories for additional guidance on industrial control system security

Evidence notes

CISA published advisory ICSA-24-345-04 on 2024-12-10 documenting this vulnerability in National Instruments LabVIEW. The advisory confirms the out-of-bounds read in HeapObjMapImpl with potential for information disclosure and code execution. CVSS 3.1 score of 7.8 (HIGH) assigned with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Official resources