Impact
NI grpc-device implements a data moniker service that contains a NULL pointer dereference flaw. When an attacker supplies an unknown value, the service dereferences the pointer and crashes, leading to a denial of service. The weakness is a classic null pointer dereference (CWE‑476), providing no gain of confidentiality or integrity but disabling the impacted component for legitimate users.
Affected Systems
The vulnerability affects NI’s InstrumentStudio and grpc-device products. Specifically, grpc-device versions 2.17.0 and earlier are vulnerable, and any related instrument studio components bundled with those versions are also at risk. Users should check the exact bundle version to confirm exposure.
Risk and Exploitability
With a CVSS score of 8.7 the flaw is considered high severity. The EPSS is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, via the grpc API, and an attacker does not need local privileges. Successful exploitation requires the attacker to send a crafted request to the data moniker service, making the vulnerability remotely exploitable and potentially disruptive to services relying on grpc-device.
OpenCVE Enrichment