Impact
NI grpc-device contains an unchecked enum cast in the BeginSidebandStream operation that allows an attacker to supply a specially crafted message with an out‑of‑range value. The improper cast can lead to unstable enum states and undefined behavior in the server process, which may culminate in a crash and subsequent denial of service. While no remote code execution or data theft is described, the impact on availability can be significant for systems that rely on continuous, real‑time data streaming.
Affected Systems
The vulnerability applies to NI grpc-device version 2.17.0 and all earlier releases, and is also relevant to NI InstrumentStudio products that include the grpc-device component. Users of either NI InstrumentStudio or the standalone grpc-device service should verify whether they are running a vulnerable version.
Risk and Exploitability
The CVSS base score of 7.1 indicates a high severity. EPSS data is not available, so the current exploit probability is unclear, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted sideband stream request, which suggests the attack vector is remote and network‑based, targeting the specific gRPC interface. Given the lack of protection against out‑of‑range inputs, an attacker who can reach the grpc‑device endpoint can likely trigger the crash when the server processes the malformed message.
OpenCVE Enrichment