External risk intelligence

NI grpc-device Untrusted Pointer Dereference Allows Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48137

The vulnerability affects an industrial automation device driver API (grpc-device). Such APIs are typically deployed within private, isolated industrial or laboratory control networks to communicate with hardware, rather than being exposed directly to the public internet.

Remote Code Execution

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An untrusted pointer dereference vulnerability has been identified in a specific API used for device communication. This issue could allow an attacker to remotely execute code by sending a specially crafted message, potentially impacting systems that utilize this technology. The primary concern is to determine if these systems are in use and exposed.

A code flaw allows remote attackers to execute commands.
Understand system relevance and potential exposure.
Confirm if affected technology is deployed and accessible.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by sending a specially crafted message to the NI grpc-device sideband streaming API. This API, designed for device communication, is potentially exposed to attackers. When the API processes this malicious message, it can lead to an untrusted pointer dereference, which could then be leveraged for remote code execution.

No authentication or network exposure required.
Vulnerable to specially crafted protobuf messages.
Can lead to arbitrary memory dereference.

Live Threat

Current exploitation, exposure, and threat context

The NI grpc-device sideband streaming API could allow an attacker to trigger an arbitrary memory dereference. This occurs when a specially crafted Moniker protobuf message is supplied, potentially leading to remote code execution when supported by the advisory.

System code execution.
Specially crafted message supplied.
System compromise and data loss.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the NI grpc-device API, a component likely managed by platform or infrastructure teams responsible for device connectivity and communication within industrial or laboratory environments. The first practical step is to identify all instances of the affected NI grpc-device, determine their network exposure and criticality, and then locate the accountable owner for remediation planning.

Platform/Infrastructure teams likely own this.
Verify network reachability and business criticality.
Plan remediation with vendor coordination.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is NI grpc-device?

NI grpc-device is a software component, specifically an API, that enables communication with measurement and control hardware. It is commonly used in industrial automation, laboratory testing, and engineering environments to interface with instruments. By providing a sideband streaming interface, it allows systems to exchange data efficiently with connected devices, serving as a critical bridge between software applications and physical hardware operations.

What does an untrusted pointer dereference mean for CVE-2026-48137?

This vulnerability, classified as CWE-822, occurs when the software incorrectly handles a memory address provided by an external source. Because the system does not verify this pointer before using it, an attacker can force the program to read or write to arbitrary memory locations. In the context of this CVE, this flaw allows a malicious actor to manipulate memory execution, which can lead to remote code execution and full compromise of the affected system.

How is this vulnerability triggered?

The vulnerability is triggered when the NI grpc-device sideband streaming API receives a specially crafted Moniker protobuf message. The API processes this data without sufficient validation, leading to the memory error. It is important to note that sending standard, legitimate control messages or interacting with other parts of the driver API that do not utilize this specific message structure will not trigger the bug.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that this API is typically used for industrial automation, meaning these components are often deployed within private or isolated laboratory networks rather than on the public internet. While the technical flaw is critical, the actual risk depends on your specific network topology. If your instances are segmented from external traffic, the likelihood of an attacker reaching the vulnerable interface is significantly reduced.

What should I do if I run NI grpc-device?

Start by auditing your environment to locate all instances of NI grpc-device, specifically versions 2.17.0 and earlier. Once identified, evaluate the network accessibility of these systems to determine if they can be reached by unauthorized users. Coordinate with your platform or infrastructure team to verify the criticality of these assets and monitor official vendor channels for available security updates to address the vulnerability.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.