Cyber Resilience

CVE-2026-48139

High

Published: 19 June 2026

Published
19 June 2026
Modified
25 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 26.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-48139 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Ni Instrumentstudio. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash. Successful exploitation requires an attacker to provide an unknown value…

more

to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference enables Application or System Exploitation (T1499.004) for Endpoint DoS via service crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

ni
instrumentstudio
2026 · ≤ 2025
ni
ni grpc device server
≤ 2.18.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References