Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via gRPC but requires authenticated low-privilege access and specific repeated invocation patterns; impact is solely availability of the grpc-device service.
Primary rating from Vendor (NI).
CVSS VectorVendor: NI
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
There is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion. This affects NI grpc-device 2.17.0 and prior versions.
AnalysisAI
Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated network access to the NI grpc-device gRPC server - the CVSS 4.0 vector specifies PR:L, confirming low-privilege authentication is a mandatory prerequisite; unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H) scores 6.0, reflecting a network-reachable flaw with high availability impact but constrained by two key mitigating factors: authenticated low-privilege access is required (PR:L), and attack complexity is high (AC:H), indicating exploitation is not trivially reproducible and likely demands specific knowledge of invocation patterns or timing to reliably exhaust memory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user or compromised client application with access to the NI grpc-device gRPC endpoint repeatedly calls BeginSidebandStream without completing the stream lifecycle, causing the server process to accumulate unreleased memory allocations. Sustained over time or at high call rate, available system memory is exhausted, causing the grpc-device server to crash or become unresponsive and disrupting all connected measurement clients and automated test workflows. … |
| Remediation | The primary remediation is to upgrade NI grpc-device to a version beyond 2.17.0 per vendor guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Grpc Device
View allRemote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Monike
Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS
Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker s
Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the stre
Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize t
Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to co
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38029