There are seven new vulnerabilities recently disclosed in NI gRPC Device Server. These vulnerabilities affect NI gRPC Device Server 2.17.0 and prior versions.
These vulnerabilities are identified as:
CVE-2026-48137 – Untrusted pointer dereference in sideband streaming API
CVE-2026-48138 – Out-of-bounds read vulnerability in the streaming API
CVE-2026-48139 – NULL pointer dereference vulnerability in data moniker service
CVE-2026-48140 – Unchecked enum cast vulnerability in BeginSidebandStream
CVE-2026-48141 – Memory leak in BeginSidebandStream
CVE-2026-9142 – Insecure Default Credentials vulnerability when TLS configuration is not present
CVE-2026-9143 – Incorrect Conversion between Numeric Types in due to missing range checks in CodeGen
NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. Refer to the Affected Products section for information on upgrading these products.
NI Update Service is a Windows utility that checks for and delivers updates for NI software and drivers, including security updates. It can be used to manually check for updates, configured to periodically check and notify users, or to automatically download and install updates at a scheduled time.
Some mitigations in this advisory are delivered through NI Update Service. NI recommends upgrading to NI Update Service 2026 Q1 or later to get the latest updates. NI Update Service can be installed on its own and is backwards compatible with older NI software.
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| NI gRPC Device Server 2.17.0 and prior versions | Update to NI gRPC Device Server 2.18.0 or later. |
| InstrumentStudio 2026 Q2 and prior versions | In Work |