CVE-2026-32861: Critical Memory Corruption Flaw in NI LabVIEW LVCLASS File Parsing
A memory corruption vulnerability in NI LabVIEW's LVCLASS file parsing (CVE-2026-32861, CVSS 7.8) allows remote code execution via a malicious file, with a patch now available.
A critical memory corruption vulnerability has been disclosed in NI LabVIEW, tracked as CVE-2026-32861 with a CVSS score of 7.8. The flaw resides in the parsing of LVCLASS files, where improper validation of user-supplied data can trigger a memory corruption condition. An attacker can exploit this by convincing a user to open a specially crafted LVCLASS file or visit a malicious page, leading to remote code execution in the context of the current process.
The vulnerability was reported by researcher Rocco Calvi (@TecR0c) of TecSecurity through the Zero Day Initiative (ZDI) program. ZDI assigned the advisory ZDI-26-291, with the internal tracking ID ZDI-CAN-28516. The disclosure timeline shows the report was submitted to NI on January 20, 2026, and the coordinated public release occurred on April 15, 2026.
NI has issued a security update to address the vulnerability. Users can find the patch and additional details on NI's security advisory page: NI LabVIEW LVCLASS File Parsing Memory Corruption Vulnerability. The advisory provides guidance on applying the update to mitigate the risk.
LabVIEW is widely used in industrial control, automation, and research environments for data acquisition and instrument control. The vulnerability poses a significant risk to organizations relying on LabVIEW for critical operations, as successful exploitation could allow attackers to execute arbitrary code on affected systems. Given the need for user interaction, the attack vector is local, but the impact on confidentiality, integrity, and availability is high.
This disclosure highlights the ongoing challenges in securing complex file parsing routines in engineering software. Users are strongly advised to apply the security update promptly and exercise caution when opening LVCLASS files from untrusted sources. The ZDI program continues to play a key role in identifying and responsibly disclosing such vulnerabilities to protect the broader cybersecurity ecosystem.