LabVIEW 64-bit LvVariantUnflatten Vulnerability


NI has released software patches for a security vulnerability that affects 64-bit versions of LabVIEW software.


The LvVariantUnflatten function in 64-bit versions of LabVIEW prior to LabVIEW 2017 is susceptible to a heap memory corruption vulnerability. A specially crafted VI file can cause a attacker-controlled amount of heap space to be overwritten when the VI file is loaded. Exploitation could lead to arbitrary code execution.



NI has provided patches for LabVIEW 2016, LabVIEW 2015 SP1 and 2014 SP1.  NI recommends that you install these patches. There are no plans to patch any earlier versions.



You can reduce the likelihood of exploitation by adhering to Security Best Practices for LabVIEW VI Files.


CVSS Score

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


Patch Download Locations

LabVIEW 2016 f2 Patch

LabVIEW 2015 SP1 f7 Patch

LabVIEW 2014 SP1 f10 Patch


Related Links



Security Best Practices for LabVIEW VI Files


Revision History

5/2/2017 - Initial

7/24/2017 - Updated for LabVIEW 2014 SP1 f10 Patch

Was this information helpful?