The LvVariantUnflatten function in 64-bit versions of LabVIEW prior to LabVIEW 2017 is susceptible to a heap memory corruption vulnerability. A specially crafted VI file can cause a attacker-controlled amount of heap space to be overwritten when the VI file is loaded. Exploitation could lead to arbitrary code execution.
NI has provided patches for LabVIEW 2016, LabVIEW 2015 SP1 and 2014 SP1. NI recommends that you install these patches. There are no plans to patch any earlier versions.
You can reduce the likelihood of exploitation by adhering to Security Best Practices for LabVIEW VI Files.
7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Patch Download Locations
LabVIEW 2016 f2 Patch
LabVIEW 2015 SP1 f7 Patch
LabVIEW 2014 SP1 f10 Patch
Security Best Practices for LabVIEW VI Files
5/2/2017 - Initial
7/24/2017 - Updated for LabVIEW 2014 SP1 f10 Patch