Description
There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks in CodeGen.  This may silently discard high bits if a size value exceeded the target type's range. This affects NI grpc-device 2.17.0 and prior versions.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NI grpc-device contains an incorrect conversion between numeric types caused by missing range checks in CodeGen. When a size value exceeds the target type’s range, high bits can be silently truncated, which may lead to corrupted data processing, incorrect operation of the device at runtime.

Affected Systems

The vulnerability affects NI grpc-device versions 2.17.0 and older, as well as NI InstrumentStudio assemblies that rely on this device. The list of affected products includes NI grpc-device and NI InstrumentStudio according to the vendor’s CNA.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that active exploitation is not currently known. Because grpc-device runs as a server process communication component, the likely attack vector is remote via malicious or compromised gRPC client requests that supply out‑of‑range numeric values. An attacker with access to the gRPC endpoint can trigger the silent truncation, which is inferred to potentially lead to data corruption or instability of the device and any systems depending on it.

Generated by OpenCVE AI on June 19, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NI grpc-device to version 2.18.0 or later, which removes the missing range checks in CodeGen
  • Upgrade any dependent NI InstrumentStudio components to the latest release that incorporates the fixed grpc-device libraries
  • Restrict gRPC server exposure by limiting network access to trusted hosts or applying firewall rules to block unauthorized gRPC traffic

Generated by OpenCVE AI on June 19, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks in CodeGen.  This may silently discard high bits if a size value exceeded the target type's range. This affects NI grpc-device 2.17.0 and prior versions.
Title Incorrect Conversion between Numeric Types in NI grpc-device due to missing range checks in CodeGen
First Time appeared Ni
Ni grpc-device
Ni instrumentstudio
Weaknesses CWE-681
CPEs cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*
cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni grpc-device
Ni instrumentstudio
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Ni Grpc-device Instrumentstudio
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-22T19:33:04.895Z

Reserved: 2026-05-20T19:52:00.357Z

Link: CVE-2026-9143

cve-icon Vulnrichment

Updated: 2026-06-22T19:32:52.304Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:07Z

Weaknesses
  • CWE-681

    Incorrect Conversion between Numeric Types