Skip to main content

NI grpc-device CVE-2026-48137

| EUVDEUVD-2026-38012 CRITICAL
Untrusted Pointer Dereference (CWE-822)
2026-06-19 NI
9.3
CVSS 4.0 · Vendor: NI
Share

Severity by source

Vendor (NI) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable gRPC API, no auth or interaction per description; untrusted pointer dereference leading to RCE implies full C/I/A impact on the service host.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (NI).

CVSS VectorVendor: NI

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 19, 2026 - 14:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 14:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 19, 2026 - 14:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 19, 2026 - 14:15 vuln.today

DescriptionCVE.org

There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.

AnalysisAI

Remote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Moniker protobuf message to the sideband streaming API, triggering an untrusted pointer dereference (CWE-822). The flaw is reachable without authentication or user interaction over the network, yielding a CVSS 4.0 base score of 9.3. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable grpc-device gRPC port
Delivery
Connect to sideband streaming API
Exploit
Send crafted Moniker protobuf message
Execution
Trigger untrusted pointer dereference
Persist
Achieve arbitrary memory write/control
Impact
Execute code as grpc-device service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the NI grpc-device server (version 2.17.0 or earlier) be running and that its gRPC sideband streaming API be reachable from the attacker's network position; the attacker must be able to send a specially crafted Moniker protobuf message to that endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Multiple signals point to this being a real priority for any environment exposing grpc-device: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H gives a 9.3 base score, meaning network-reachable, no authentication, no user interaction, and high confidentiality+integrity impact (availability scored N, likely because the primary outcome is memory corruption leading to code execution rather than guaranteed crash). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a measurement workstation running NI grpc-device 2.17.0 connects to the gRPC sideband streaming endpoint and sends a crafted Moniker protobuf message whose internal identifier fields encode an attacker-chosen pointer value. The server deserializes the message and dereferences the supplied pointer without validation, enabling memory corruption that is shaped into arbitrary code execution in the context of the grpc-device service. …
Remediation Patch available per vendor advisory - upgrade NI grpc-device to a version newer than 2.17.0 as directed by the NI security bulletin at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/multiple-vulnerabilities-in-ni-grpc-device-server.html and the upstream GitHub advisory GHSA-ww59-ghm9-mm63 at https://github.com/ni/grpc-device/security/advisories/GHSA-ww59-ghm9-mm63; the exact fixed version should be taken from those advisories. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running NI grpc-device 2.17.0 or earlier; immediately isolate affected devices from untrusted networks and disable internet-facing access to the sideband API. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy