Untrusted Pointer Deref in NI grpc-device <2.17.0 sideband API: RCE
CVE-2026-48137 Published on June 19, 2026

Untrusted pointer dereference in NI grpc-device sideband streaming API
There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-48137 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Untrusted Pointer Dereference

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.


Products Associated with CVE-2026-48137

stack.watch emails you whenever new vulnerabilities are published in Ni Grpc Device or Ni Instrumentstudio. Just hit a watch button to start following.

Ni Grpc Device
 
Ni Instrumentstudio
 

Affected Versions

NI grpc-device: NI InstrumentStudio: