Description
There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash.  Successful exploitation requires an attacker to provide an unknown value to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NI grpc-device implements a data moniker service that contains a NULL pointer dereference flaw. When an attacker supplies an unknown value, the service dereferences the pointer and crashes, leading to a denial of service. The weakness is a classic null pointer dereference (CWE‑476), providing no gain of confidentiality or integrity but disabling the impacted component for legitimate users.

Affected Systems

The vulnerability affects NI’s InstrumentStudio and grpc-device products. Specifically, grpc-device versions 2.17.0 and earlier are vulnerable, and any related instrument studio components bundled with those versions are also at risk. Users should check the exact bundle version to confirm exposure.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. The EPSS is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, via the grpc API, and an attacker does not need local privileges. Successful exploitation requires the attacker to send a crafted request to the data moniker service, making the vulnerability remotely exploitable and potentially disruptive to services relying on grpc-device.

Generated by OpenCVE AI on June 19, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available update to NI grpc-device to fix the NULL pointer dereference.
  • If an update cannot be applied immediately, disable or limit access to the data moniker service so that only trusted clients can communicate with it.
  • Restrict network exposure of the grpc-device API by configuring firewall rules or an API gateway to allow traffic solely from trusted IP ranges.

Generated by OpenCVE AI on June 19, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash.  Successful exploitation requires an attacker to provide an unknown value to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions.
Title NULL pointer dereference vulnerability in NI grpc-device data moniker service
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-476
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-22T17:31:28.080Z

Reserved: 2026-05-20T19:51:56.935Z

Link: CVE-2026-48139

cve-icon Vulnrichment

Updated: 2026-06-22T17:31:21.328Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:36:12Z

Weaknesses