Impact
NI grpc-device contains an incorrect conversion between numeric types caused by missing range checks in CodeGen. When a size value exceeds the target type’s range, high bits can be silently truncated, which may lead to corrupted data processing, incorrect operation of the device at runtime.
Affected Systems
The vulnerability affects NI grpc-device versions 2.17.0 and older, as well as NI InstrumentStudio assemblies that rely on this device. The list of affected products includes NI grpc-device and NI InstrumentStudio according to the vendor’s CNA.
Risk and Exploitability
The CVSS score of 6.3 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that active exploitation is not currently known. Because grpc-device runs as a server process communication component, the likely attack vector is remote via malicious or compromised gRPC client requests that supply out‑of‑range numeric values. An attacker with access to the gRPC endpoint can trigger the silent truncation, which is inferred to potentially lead to data corruption or instability of the device and any systems depending on it.
OpenCVE Enrichment