Skip to main content

NI grpc-device CVE-2026-48141

| EUVDEUVD-2026-38029 MEDIUM
Memory Leak (CWE-401)
2026-06-19 NI
6.0
CVSS 4.0 · Vendor: NI
Share

Severity by source

Vendor (NI) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable via gRPC but requires authenticated low-privilege access and specific repeated invocation patterns; impact is solely availability of the grpc-device service.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (NI).

CVSS VectorVendor: NI

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 14:28 vuln.today
CVSS changed
Jun 19, 2026 - 14:22 NVD
5.3 (MEDIUM) 6.0 (MEDIUM)

DescriptionCVE.org

There is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion.  This affects NI grpc-device 2.17.0 and prior versions.

AnalysisAI

Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege credentials for grpc-device server
Delivery
Connect to gRPC endpoint over network
Exploit
Repeatedly invoke BeginSidebandStream RPC without releasing streams
Execution
Memory accumulates per call without reclamation
Persist
Server process exhausts available system memory
Impact
grpc-device service crashes or becomes unresponsive, denying service to all clients

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated network access to the NI grpc-device gRPC server - the CVSS 4.0 vector specifies PR:L, confirming low-privilege authentication is a mandatory prerequisite; unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H) scores 6.0, reflecting a network-reachable flaw with high availability impact but constrained by two key mitigating factors: authenticated low-privilege access is required (PR:L), and attack complexity is high (AC:H), indicating exploitation is not trivially reproducible and likely demands specific knowledge of invocation patterns or timing to reliably exhaust memory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user or compromised client application with access to the NI grpc-device gRPC endpoint repeatedly calls BeginSidebandStream without completing the stream lifecycle, causing the server process to accumulate unreleased memory allocations. Sustained over time or at high call rate, available system memory is exhausted, causing the grpc-device server to crash or become unresponsive and disrupting all connected measurement clients and automated test workflows. …
Remediation The primary remediation is to upgrade NI grpc-device to a version beyond 2.17.0 per vendor guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy