How is CVE-2026-48137 exploited?

Network reachability (required): The vulnerable sideband streaming API is exposed over the network, so an attacker must be able to reach the service's listening port from a remote host. Authentication (not-required): The CVSS vector specifies PR:N, meaning no account or credential of any privilege level is needed before sending the malicious protobuf message. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning exploitation is fully server-side and no user action such as clicking a link or opening a file is required. Attack complexity (info): The CVSS vector specifies AC:L with AT:N, meaning the exploit is reliable and condition-free with no race conditions or special environmental state required.

What is the impact of CVE-2026-48137?

An attacker achieves remote code execution on the host running the affected grpc-device or InstrumentStudio service. The process's full memory contents are readable, exposing any secrets, keys, or data held in the service's address space at the time of exploitation. Persistent data accessible to the compromised process, such as configuration files, measurement records, or credentials on disk, can be read or overwritten. The attacker gains an execution foothold that can be used to pivot to other services or hosts on the same internal network.

Back to search

CRITICALCVE-2026-48137Published 2026-06-19Modified 2026-06-19CNA NI

CVE-2026-48137: Untrusted pointer dereference in NI grpc-device sideband streaming API

There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution. Successful exploitation requires an attacker to supply a specially crafted Moniker protobuf message. This affects NI grpc-device 2.17.0 and prior versions.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

An untrusted pointer dereference vulnerability exists in the NI grpc-device sideband streaming API, affecting grpc-device 2.17.0 and earlier and NI InstrumentStudio 26.3.0 and earlier. The flaw is reachable over the network with no authentication required; an attacker sends a specially crafted Moniker protobuf message to trigger an arbitrary memory dereference. Successful exploitation results in remote code execution on the host running the affected service. No upstream fix version has been published yet; HarborGuard tracks this advisory for patch availability and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-48137 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle grpc-device or InstrumentStudio components. Coverage extends to any image layer containing the affected package, regardless of base image origin.

Available

Triage

HarborGuard scores this CVE at 9.3 Critical (CVSS v4.0) and is capable of weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage results are available for delivery to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the NI advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable sideband streaming API is exposed over the network, so an attacker must be able to reach the service's listening port from a remote host.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no account or credential of any privilege level is needed before sending the malicious protobuf message.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning exploitation is fully server-side and no user action such as clicking a link or opening a file is required.
Attack complexityDetail
The CVSS vector specifies AC:L with AT:N, meaning the exploit is reliable and condition-free with no race conditions or special environmental state required.

Blast Radius

An attacker achieves remote code execution on the host running the affected grpc-device or InstrumentStudio service.
The process's full memory contents are readable, exposing any secrets, keys, or data held in the service's address space at the time of exploitation.
Persistent data accessible to the compromised process, such as configuration files, measurement records, or credentials on disk, can be read or overwritten.
The attacker gains an execution foothold that can be used to pivot to other services or hosts on the same internal network.

How HarborGuard Handles This

Available on HarborGuard: because NI has not yet published a fix for CVE-2026-48137, HarborGuard continuously re-checks the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls are worth considering: network-policy rules that restrict inbound access to the grpc-device sideband streaming port to known, trusted hosts; egress filtering on pods or VMs running InstrumentStudio to limit lateral-movement opportunity if a compromise does occur; and, where operationally feasible, disabling or feature-flag-gating the sideband streaming interface until a patch is available. HarborGuard will surface the rebuilt image and close the advisory tracking entry as soon as upstream ships a fix.

See how HarborGuard automates this

Affected packages

NI / grpc-device
≤ 2.17.0
NI / InstrumentStudio
≤ 26.3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified