Description
There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an out-of-bounds read caused by a missing bounds check in the NI grpc-device streaming API. If an attacker supplies a specially crafted write request, the application may read beyond the intended memory buffer, potentially leading to a denial of service. The impact is limited to application crashes or unintended termination, with no disclosed data leak or code execution.

Affected Systems

Affected vendors include NI InstrumentStudio and NI grpc-device. The specific vulnerable product is NI grpc-device version 2.17.0 and all earlier releases. InstrumentStudio users should verify whether they are using a bundled version of grpc-device that includes the vulnerable code.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑bound request to the grpc-device streaming API, requiring the attacker to be able to send a crafted write request. Successful exploitation would result in a service crash rather than remote code execution or data theft. No public exploit has been seen so far.

Generated by OpenCVE AI on June 19, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NI grpc-device to version 2.18 or later to remove the bounds check error.
  • Verify and apply any available updates for NI InstrumentStudio that address the grpc-device dependency.
  • If an upgrade is not immediately possible, restrict network access to the grpc-device streaming API or isolate the device behind a firewall to limit exposure to crafted requests.

Generated by OpenCVE AI on June 19, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions.
Title Out-of-bounds read vulnerability in the NI grpc-device streaming API
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-125
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-19T13:16:03.969Z

Reserved: 2026-05-20T19:51:56.935Z

Link: CVE-2026-48138

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses