CVE-2026-26264

EUVD-2026-6027

13.02.2026, 19:17

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
bacnetstack	bacnet_stack	1.4.0 ≤ 𝑥 < 1.4.3
bacnetstack	bacnet_stack	1.4.3:rc1
bacnetstack	bacnet_stack	1.5.0:rc1
bacnetstack	bacnet_stack	1.5.0:rc2
bacnetstack	bacnet_stack	1.5.0:rc3

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708

https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj