Description
There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an untrusted pointer dereference in the NI grpc-device sideband streaming API. An attacker can supply a specially crafted Moniker protobuf message that leads to an arbitrary memory dereference, potentially allowing the attacker to execute arbitrary code on the affected system. The weakness is categorized as CWE-822.

Affected Systems

The issue affects NI grpc-device version 2.17.0 and earlier. It also impacts NI InstrumentStudio, though specific version information is not detailed. The vulnerability is present in the sideband streaming API used by both products.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity, and the vulnerability is not listed in CISA’s KEV catalog. EPSS data is unavailable, so the likelihood assessment is uncertain. Based on the description, the attacker must remotely send a crafted Moniker protobuf over the grpc-device sideband streaming channel; thus the likely attack path is a remote exploitation from within the network or across the internet if the service is exposed. Successful exploitation could lead to remote code execution on the host running grpc-device.

Generated by OpenCVE AI on June 19, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NI grpc-device to a version newer than 2.17.0, as released in the latest critical updates for NI grpc-device.
  • If an immediate upgrade is not feasible, disable or restrict access to the grpc-device sideband streaming API until a patch is applied.
  • Enforce strict input validation for Moniker protobuf messages to prevent invalid memory dereference, following CWE-822 remediation practices.

Generated by OpenCVE AI on June 19, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.
Title Untrusted pointer dereference in NI grpc-device sideband streaming API
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-822
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-19T13:18:09.580Z

Reserved: 2026-05-20T19:51:56.935Z

Link: CVE-2026-48137

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-822

    Untrusted Pointer Dereference