Skip to main content

Instrumentstudio

7 CVEs product

Monthly

CVE-2026-9143 MEDIUM This Month

Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to corrupt size values processed by the CodeGen component, potentially causing integrity violations in instrument control operations. The root cause is CWE-681 - missing range checks during numeric type conversion in CodeGen - meaning oversized size fields silently lose their high-order bits rather than being rejected or flagged. No CISA KEV listing and no public exploit code have been identified at time of analysis, placing this in a lower operational priority tier despite its medium CVSS 4.0 score of 6.3.

Information Disclosure Grpc Device Instrumentstudio
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-9142 CRITICAL Act Now

Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.

Authentication Bypass Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-48141 MEDIUM This Month

Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the network-accessible attack vector makes it relevant for any deployment where the grpc-device server is reachable by untrusted authenticated clients.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-48140 HIGH This Week

Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48139 HIGH This Week

Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker service by submitting an unknown value that triggers a NULL pointer dereference. The flaw also impacts deployments embedding the server via NI InstrumentStudio. No public exploit is identified at time of analysis, though the CVSS 4.0 base score of 8.7 reflects high availability impact reachable over the network without privileges.

Denial Of Service Null Pointer Dereference Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-48138 HIGH This Week

Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Information Disclosure Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-48137 CRITICAL Act Now

Remote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Moniker protobuf message to the sideband streaming API, triggering an untrusted pointer dereference (CWE-822). The flaw is reachable without authentication or user interaction over the network, yielding a CVSS 4.0 base score of 9.3. No public exploit identified at time of analysis, but vendor advisories from NI and the upstream GitHub Security Advisory GHSA-ww59-ghm9-mm63 are published.

RCE Grpc Device Instrumentstudio
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
EPSS 0% CVSS 6.3
MEDIUM This Month

Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to corrupt size values processed by the CodeGen component, potentially causing integrity violations in instrument control operations. The root cause is CWE-681 - missing range checks during numeric type conversion in CodeGen - meaning oversized size fields silently lose their high-order bits rather than being rejected or flagged. No CISA KEV listing and no public exploit code have been identified at time of analysis, placing this in a lower operational priority tier despite its medium CVSS 4.0 score of 6.3.

Information Disclosure Grpc Device Instrumentstudio
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.

Authentication Bypass Grpc Device Instrumentstudio
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the network-accessible attack vector makes it relevant for any deployment where the grpc-device server is reachable by untrusted authenticated clients.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker service by submitting an unknown value that triggers a NULL pointer dereference. The flaw also impacts deployments embedding the server via NI InstrumentStudio. No public exploit is identified at time of analysis, though the CVSS 4.0 base score of 8.7 reflects high availability impact reachable over the network without privileges.

Denial Of Service Null Pointer Dereference Grpc Device +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Moniker protobuf message to the sideband streaming API, triggering an untrusted pointer dereference (CWE-822). The flaw is reachable without authentication or user interaction over the network, yielding a CVSS 4.0 base score of 9.3. No public exploit identified at time of analysis, but vendor advisories from NI and the upstream GitHub Security Advisory GHSA-ww59-ghm9-mm63 are published.

RCE Grpc Device Instrumentstudio
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy