Description
There is an unchecked enum cast vulnerability in NI grpc-device BeginSidebandStream that may allow an attacker to trigger invalid enum states and undefined behavior, potentially resulting in a denial of service. Successful exploitation requires an attacker to supply a specially crafted message containing an out-of-range value. This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NI grpc-device contains an unchecked enum cast in the BeginSidebandStream operation that allows an attacker to supply a specially crafted message with an out‑of‑range value. The improper cast can lead to unstable enum states and undefined behavior in the server process, which may culminate in a crash and subsequent denial of service. While no remote code execution or data theft is described, the impact on availability can be significant for systems that rely on continuous, real‑time data streaming.

Affected Systems

The vulnerability applies to NI grpc-device version 2.17.0 and all earlier releases, and is also relevant to NI InstrumentStudio products that include the grpc-device component. Users of either NI InstrumentStudio or the standalone grpc-device service should verify whether they are running a vulnerable version.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. EPSS data is not available, so the current exploit probability is unclear, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted sideband stream request, which suggests the attack vector is remote and network‑based, targeting the specific gRPC interface. Given the lack of protection against out‑of‑range inputs, an attacker who can reach the grpc‑device endpoint can likely trigger the crash when the server processes the malformed message.

Generated by OpenCVE AI on June 19, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NI grpc-device to a version newer than 2.17.0, if available, to eliminate the unchecked enum cast.
  • Upgrade NI InstrumentStudio to the latest version, which includes an updated grpc-device component.
  • If an immediate update cannot be applied, restrict inbound traffic to the grpc-device gRPC port so that only trusted hosts can send sideband stream requests, reducing exposure to malformed messages.

Generated by OpenCVE AI on June 19, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is an unchecked enum cast vulnerability in NI grpc-device BeginSidebandStream that may allow an attacker to trigger invalid enum states and undefined behavior, potentially resulting in a denial of service. Successful exploitation requires an attacker to supply a specially crafted message containing an out-of-range value. This affects NI grpc-device 2.17.0 and prior versions.
Title Unchecked enum cast vulnerability in NI grpc-device in BeginSidebandStream
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-704
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-22T16:37:50.838Z

Reserved: 2026-05-20T19:51:56.936Z

Link: CVE-2026-48140

cve-icon Vulnrichment

Updated: 2026-06-22T16:37:39.224Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:06Z

Weaknesses
  • CWE-704

    Incorrect Type Conversion or Cast