CVE-2026-48137
Published: 19 June 2026
Summary
CVE-2026-48137 is a critical-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Ni Instrumentstudio. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-38012
Vulnerability details
There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution. Successful exploitation requires an attacker to supply a specially…
more
crafted Moniker protobuf message. This affects NI grpc-device 2.17.0 and prior versions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted pointer dereference in exposed gRPC API allows remote supply of crafted protobuf leading directly to arbitrary memory dereference and RCE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.