PatchSiren cyber security CVE debrief
CVE-2024-10495 NI CVE debrief
A high-severity out-of-bounds read vulnerability exists in National Instruments LabVIEW when loading the font table. This vulnerability, published on December 10, 2024, may allow an attacker to disclose information or execute arbitrary code. The vulnerability affects multiple versions of LabVIEW, including LabVIEW 2024 (up to Q3 24.3f0), LabVIEW 2023, LabVIEW 2022, and LabVIEW 2021 (EOL) and below. National Instruments has released patches for supported versions and recommends upgrading to the latest patched versions. LabVIEW 2021 and earlier versions are end-of-life and receive no support.
- Vendor
- NI
- Product
- LabVIEW 2024
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2024-12-10
- Advisory published
- 2024-12-10
- Advisory updated
- 2024-12-10
Who should care
Organizations using National Instruments LabVIEW for test, measurement, and control applications, particularly in industrial and research environments. System administrators maintaining LabVIEW deployments should prioritize patching supported versions and planning migration from end-of-life releases.
Technical summary
CVE-2024-10495 is an out-of-bounds read vulnerability in National Instruments LabVIEW triggered during font table loading. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a local attack vector requiring user interaction but resulting in high impact to confidentiality, integrity, and availability. Successful exploitation may lead to information disclosure or arbitrary code execution. Affected versions include LabVIEW 2024 (<=Q3_24.3f0), LabVIEW 2023 (all versions), LabVIEW 2022 (all versions), and LabVIEW 2021 (EOL) and below. National Instruments has released patches for supported versions: LabVIEW 2024 Q3 Patch 2, LabVIEW 2023 Q3 Patch 5, and LabVIEW 2022 Q3 Patch 4. LabVIEW 2021 and earlier versions are end-of-life with no patches available.
Defensive priority
high
Recommended defensive actions
- Upgrade LabVIEW 2024 installations to LabVIEW 2024 Q3 Patch 2 or later via NI Package Manager
- Upgrade LabVIEW 2023 installations to LabVIEW 2023 Q3 Patch 5 or later via NI Package Manager
- Upgrade LabVIEW 2022 installations to LabVIEW 2022 Q3 Patch 4 or later via NI Package Manager
- Replace LabVIEW 2021 and earlier end-of-life versions with supported LabVIEW releases
- Review National Instruments security bulletin for additional guidance
- Apply defense-in-depth practices for industrial control systems per CISA recommendations
Evidence notes
The vulnerability is documented in CISA CSAF advisory ICSA-24-345-04, which identifies an out-of-bounds read when loading the font table. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector, low attack complexity, no privileges required, and high impacts to confidentiality, integrity, and availability.
Official resources
-
CVE-2024-10495 CVE record
CVE.org
-
CVE-2024-10495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
National Instruments disclosed this vulnerability through CISA's ICS advisory program. The vulnerability was published on December 10, 2024, with initial advisory ICSA-24-345-04.