CVE-2026-48139 NI CVE debrief

Who should care

Organizations using NI grpc-device version 2.17.0 or prior should be aware of this vulnerability and take immediate action to limit exposure. This includes reviewing current versions, assessing potential attack vectors, and implementing compensating controls if necessary.

Technical summary

The vulnerability is caused by a NULL pointer dereference in the data moniker service of NI grpc-device. An attacker could exploit this vulnerability by providing an unknown value to the data moniker service, potentially leading to a denial of service through a system crash. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority due to CVSS score of 8.7 and potential for denial of service

Recommended defensive actions

• Inventory NI grpc-device installations to identify affected versions
• Review and apply available patches from the vendor
• Implement compensating controls to limit exposure
• Monitor for suspicious activity related to the data moniker service
• Review system logs for potential exploitation attempts

Evidence notes

The primary evidence for this vulnerability comes from the NVD and CVE.org records. The vulnerability affects NI grpc-device version 2.17.0 and prior. Defenders should verify the current version of NI grpc-device in use and review the official vendor advisories for patching information.

Official resources