CVE-2026-48138
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Read in NI grpc-device API

Vulnerability report for CVE-2026-48138, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-25

Assigner: National Instruments

Description

There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-25
Generated
2026-07-10
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
ni instrumentstudio to 2025 (inc)
ni instrumentstudio 2026
ni instrumentstudio 2026
ni ni_grpc_device_server to 2.18.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unusual or malformed write requests sent to the NI grpc-device streaming API, as the exploit requires a specially crafted write request to trigger the out-of-bounds read.

Since the attack vector is network-based and does not require privileges or user interaction, network traffic analysis tools can be used to inspect grpc-device API requests for anomalies.

Specific commands are not provided in the available resources, but general approaches include using packet capture tools like tcpdump or Wireshark to filter and analyze grpc-device traffic, or employing network intrusion detection systems (NIDS) with custom rules to detect malformed write requests targeting grpc-device.

Additionally, checking the version of the grpc-device package installed on your system can help identify if it is vulnerable. Upgrading to version 2.18.0 or later mitigates the risk.

Executive Summary

CVE-2026-48138 is an out-of-bounds read vulnerability in the NI grpc-device streaming API caused by a missing bounds check.

This means the software reads data outside the intended buffer range, which can lead to unexpected behavior.

An attacker can exploit this by sending a specially crafted write request to the affected versions (prior to 2.18.0) of the grpc-device package.

Successful exploitation may result in a denial of service, making the system unavailable.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition.

An attacker can cause the affected system to become unavailable by exploiting the out-of-bounds read flaw.

The attack can be performed remotely over the network without requiring any privileges or user interaction.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the NI grpc-device package to version 2.18.0 or later.

This update addresses the out-of-bounds read issue caused by a missing bounds check in the streaming API, preventing potential denial of service attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart