{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26264", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.412Z", "datePublished": "2026-02-13T18:14:30.232Z", "dateUpdated": "2026-02-13T18:50:30.367Z"}, "containers": {"cna": {"title": "BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj"}, {"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708", "tags": ["x_refsource_MISC"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708"}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"version": ">= 1.5.0rc1, < 1.5.0rc4", "status": "affected"}, {"version": "< 1.4.3rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T18:14:30.232Z"}, "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out\u2011of\u2011bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out\u2011of\u2011bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2."}], "source": {"advisory": "GHSA-phjh-v45p-gmjj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T18:49:44.498242Z", "id": "CVE-2026-26264", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:50:30.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26264", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T18:49:44.498242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:50:05.321Z"}}], "cna": {"title": "BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash", "source": {"advisory": "GHSA-phjh-v45p-gmjj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"status": "affected", "version": ">= 1.5.0rc1, < 1.5.0rc4"}, {"status": "affected", "version": "< 1.4.3rc2"}]}], "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj", "name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708", "name": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out\u2011of\u2011bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out\u2011of\u2011bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T18:14:30.232Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26264", "state": "PUBLISHED", "dateUpdated": "2026-02-13T18:50:30.367Z", "dateReserved": "2026-02-12T17:10:53.412Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-13T18:14:30.232Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BAD4B36-9061-453C-9C23-231993F1E69E", "versionEndExcluding": "1.4.3", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.4.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "F4D20F1C-637A-4398-AD64-43C05692782D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "DAB57C9E-9ABF-41FD-8D30-7C319ED23227", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out\u2011of\u2011bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out\u2011of\u2011bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2."}], "id": "CVE-2026-26264", "lastModified": "2026-02-18T18:48:15.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-13T19:17:31.143", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0rc1,1.5.0rc4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.3rc2)"}}], "product": "bacnet_stack", "vendor": "bacnetstack"}], "analysis": {"en": {"generated_at": "2026-04-17T19:50:39.248155+00:00", "value": {"mitigation_remediation": ["Upgrade the bacnet-stack library to version 1.5.0rc4 or later, or to 1.4.3rc2 or later, to eliminate the underflow bug.", "If an upgrade cannot be applied immediately, replace or augment the protocol processing with a custom filter that validates that the incoming apdu_size does not exceed apdu_len before passing it to the BACnet decoder, preventing the underflow.", "Continuously monitor embedded BACnet devices for abnormal crashes or service interruptions, and apply hot\u2011fixes or stable releases as soon as they become available."], "summary": {"action": "Patch", "impact": "Denial of Service (out\u2011of\u2011bounds read leading to crash)"}, "threat_synthesis": {"affected_systems": "Affected are installations of the open\u2011source BACnet Stack (bacnet-stack). Versions older than 1.5.0rc4 and 1.4.3rc2 are vulnerable, including the release candidates listed in the CPE data such as 1.4.3rc1, 1.5.0rc1 through rc3 and earlier baseline releases. Embedded devices or systems that serve as BACnet gateways or controllers and use these versions are at risk.", "description_and_impact": "The vulnerability is a length underflow in the WriteProperty decoder of the BACnet Stack library. A specially crafted WriteProperty request causes the decoder to subtract the actual packet size from the declared length, resulting in a negative value that underflows to a large positive number. The oversized value is then passed to the context decoder, triggering an out\u2011of\u2011bounds read and ultimately a crash, which translates into a denial\u2011of\u2011service condition. The weakness is classified as CWE\u2011125.", "risk_and_exploitability": "The base score of 7.8 indicates high severity. The EPSS score is below 1\u202f%, suggesting that observed exploitation is rare, and the vulnerability is not yet in the KEV list. However, because the flaw can be triggered by sending a malformed WriteProperty request over the BACnet network, any device exposed to an untrusted network could be targeted. Successful exploitation leads to a crash, disrupting service but not permitting remote code execution or data disclosure. The core risk stems from the reliability assumption of protocol decoding; thus, a DoS can be manifested without privileged access."}}}}, "created": "2026-02-13T21:28:30.159480+00:00", "updated": "2026-04-17T20:00:09.012869+00:00", "vendors": ["bacnetstack", "bacnetstack$PRODUCT$bacnet_stack"]}