PatchSiren cyber security CVE debrief
CVE-2024-10496 NI CVE debrief
An out-of-bounds read vulnerability exists in the BuildFontMap function within National Instruments LabVIEW. This vulnerability may allow an attacker to disclose sensitive information or execute arbitrary code. The issue affects multiple versions of LabVIEW, including the 2024 release up to Q3 24.3f0, all versions of LabVIEW 2023, all versions of LabVIEW 2022, and LabVIEW 2021 and earlier versions which have reached end-of-life. National Instruments has released patches for supported versions. LabVIEW 2021 and prior versions receive no support and should be upgraded to a supported release.
- Vendor
- NI
- Product
- LabVIEW 2024
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2024-12-10
- Advisory published
- 2024-12-10
- Advisory updated
- 2024-12-10
Who should care
Organizations using National Instruments LabVIEW for test, measurement, and control applications, particularly in industrial and research environments. System administrators maintaining LabVIEW deployments should prioritize patching supported versions and planning migration from end-of-life releases.
Technical summary
The vulnerability resides in the BuildFontMap function and is classified as an out-of-bounds read. Successful exploitation could result in information disclosure or arbitrary code execution. The attack vector is local, requiring user interaction, with low attack complexity and no privileges required. The vulnerability affects confidentiality, integrity, and availability with high impact ratings.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LabVIEW 2024 installations to Q3 Patch 2 or later via NI Package Manager
- Upgrade LabVIEW 2023 installations to Q3 Patch 5 or later via NI Package Manager
- Upgrade LabVIEW 2022 installations to Q3 Patch 4 or later via NI Package Manager
- Migrate LabVIEW 2021 and earlier end-of-life versions to a supported LabVIEW release
- Review National Instruments security bulletin for additional guidance
- Apply defense-in-depth controls for industrial control systems per CISA recommended practices
Evidence notes
CVE published 2024-12-10. CISA ICS advisory ICSA-24-345-04 published same date. CVSS 3.1 score 7.8 (HIGH).
Official resources
-
CVE-2024-10496 CVE record
CVE.org
-
CVE-2024-10496 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10