Untrusted Pointer Dereference Vulnerability in NI grpc-device Streaming API
CVE-2026-48137

9.3CRITICAL

Key Information:

Vendor: Ni
Status: Grpc-device; Instrumentstudio
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-48137?

An untrusted pointer dereference flaw exists in the NI grpc-device sideband streaming API. This vulnerability can be exploited by an attacker to create a specially crafted Moniker protobuf message, leading to potential arbitrary memory dereference. Such exploitation may allow the execution of unauthorized code remotely. This vulnerability impacts all versions of NI grpc-device up to and including 2.17.0.

Affected Version(s)

grpc-device 0 <= 2.17.0

InstrumentStudio 0 <= 26.3.0

References

https://www.ni.com/en/support/security/available-critical...

vendor-advisory

https://github.com/ni/grpc-device/security/advisories/GHS...

vendor-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 20, 2026

Credit

Sebastián Alba Vives (@Sebasteuo / 0xS4bb1)

CVE-2026-48137 Data

JSON

Ni

What is CVE-2026-48137?

Affected Version(s)

References

CVSS V4

Timeline

Credit