CVE-2026-32860: Critical Memory Corruption Flaw in NI LabVIEW LVLIB File Parsing
A critical memory corruption vulnerability in NI LabVIEW's LVLIB file parsing, tracked as CVE-2026-32860, allows remote code execution via a malicious file or webpage.
A critical memory corruption vulnerability in NI LabVIEW's parsing of LVLIB project library files has been disclosed by the Zero Day Initiative (ZDI) as ZDI-26-290. Tracked as CVE-2026-32860, the flaw carries a CVSS score of 7.8 and allows remote attackers to execute arbitrary code execution on affected installations. User interaction is required, meaning an attacker must convince a target to open a malicious LVLIB file or visit a specially crafted webpage.
The vulnerability resides in the way LabVIEW validates user-supplied data when parsing LVLIB files. The lack of proper validation can trigger a memory corruption condition, which an attacker can then exploit to execute arbitrary code in the context of the current process. Because LabVIEW is widely used in industrial control, test automation, and data acquisition environments, a successful exploit could give an attacker a foothold on critical engineering workstations.
NI has issued a security update to address the vulnerability. The advisory directs users to NI's security portal for the latest patch details. The disclosure timeline shows the vulnerability was reported to NI on February 11, 2026, with the coordinated public release occurring on April 15, 2026. The flaw was discovered and reported by researcher Rocco Calvi (@TecR0c) of TecSecurity.
Given LabVIEW's deployment in sensitive sectors such as manufacturing, energy, and aerospace, this vulnerability poses a significant risk to operational technology environments. Organizations using LabVIEW should prioritize applying the vendor-supplied update to mitigate the risk of remote code execution. The ZDI advisory notes that the vulnerability details and the NI security update page provide further guidance.