{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21870", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.368Z", "datePublished": "2026-02-13T17:58:37.205Z", "dateUpdated": "2026-02-13T18:19:36.183Z"}, "containers": {"cna": {"title": "The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string", "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "lang": "en", "description": "CWE-193: Off-by-one Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"}, {"name": "https://github.com/bacnet-stack/bacnet-stack/pull/1196", "tags": ["x_refsource_MISC"], "url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"}, {"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465", "tags": ["x_refsource_MISC"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"version": "<= 1.4.2", "status": "affected"}, {"version": ">= 1.5.0.rc1, <= 1.5.0.rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T17:58:37.205Z"}, "descriptions": [{"lang": "en", "value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."}], "source": {"advisory": "GHSA-pc83-wp6w-93mx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T18:19:25.750164Z", "id": "CVE-2026-21870", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:19:36.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T18:19:25.750164Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:19:31.816Z"}}], "cna": {"title": "The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string", "source": {"advisory": "GHSA-pc83-wp6w-93mx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"status": "affected", "version": "<= 1.4.2"}, {"status": "affected", "version": ">= 1.5.0.rc1, <= 1.5.0.rc2"}]}], "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx", "name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196", "name": "https://github.com/bacnet-stack/bacnet-stack/pull/1196", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465", "name": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193: Off-by-one Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T17:58:37.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21870", "state": "PUBLISHED", "dateUpdated": "2026-02-13T18:19:36.183Z", "dateReserved": "2026-01-05T16:44:16.368Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-13T17:58:37.205Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BF2BFCC-54CE-412E-947A-B5C834161829", "versionEndIncluding": "1.4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."}], "id": "CVE-2026-21870", "lastModified": "2026-02-18T18:49:07.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-13T18:16:19.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0.rc1,1.5.0.rc2]"}}], "product": "bacnet_stack", "vendor": "bacnetstack"}], "analysis": {"en": {"generated_at": "2026-04-17T19:51:08.347320+00:00", "value": {"mitigation_remediation": ["Upgrade the BACnet stack library to a release that corrects the tokenizer null\u2011termination logic (consult the project\u2019s release notes for the fixed version).", "Rebuild or redeploy your BACnet\u2011enabled applications using the updated library to ensure the stack overflow bug is eliminated.", "As a temporary safeguard for environments that cannot immediately update, validate or truncate string literals to fewer than 40 characters before passing them to the tokenizer, or implement input validation in the calling application to reject overly long strings."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BACnet Protocol Stack (bacnet-stack) library, particularly versions 1.4.2, 1.5.0 RC2, and earlier releases. Systems that incorporate these library versions in their BACnet applications are potentially affected. The stack uses a tokenizer function located in src/bacnet/basic/program/ubasic/tokenizer.c to process string literals, and the flaw is present in all releases until a newer version that corrects the null termination logic.", "description_and_impact": "An off\u2011by\u2011one stack overflow occurs in the ubasic interpreter inside the BACnet Protocol Stack library; when a string literal longer than the 40\u2011byte buffer is parsed, the tokenizer writes a null byte past the end of the buffer, corrupting the stack and causing the process to abort with SIGABRT. The bug does not enable code execution or privilege escalation, but it reliably disrupts service by terminating the process that is handling BACnet messages. The impact is aligned with a moderate denial of service.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation within the current time window, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to supply long string literals to the ubasic interpreter, which typically requires local access to the device or the ability to inject input into the application that uses the library. Because the flaw only causes a crash, the risk to confidentiality or integrity is minimal, but the denial of service may impact operational availability of BACnet devices or services. Overall, the risk is moderate with a low likelihood of exploitation in current threat environments."}}}}, "created": "2026-02-13T21:28:31.749094+00:00", "updated": "2026-04-17T20:00:09.014319+00:00", "vendors": ["bacnetstack", "bacnetstack$PRODUCT$bacnet_stack"]}