Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-21870 is an off-by-one stack-based buffer overflow vulnerability in the ubasic interpreter component of the bacnet-stack project. It occurs in the function tokenizer_string when processing string literals that exceed the buffer size limit of 40 bytes. The function incorrectly writes a null terminator at position 40 (dest[40]) when the buffer only has indices 0 to 39, causing a stack overflow.'}, {'type': 'paragraph', 'content': "This vulnerability leads to a crash (SIGABRT) when the interpreter processes string literals longer than the buffer limit. The issue arises from improper handling of null termination and unsafe string operations in the ubasic interpreter's string tokenizer."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by correcting the off-by-one errors, ensuring proper buffer size checks, replacing unsafe sprintf calls with snprintf, zero-initializing buffers, and adding unit tests to verify safe string handling.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the bacnet-stack ubasic interpreter to crash (SIGABRT) when processing string literals longer than the buffer limit, leading to a denial of service.

The CVSS v3.1 score is 5.5 (Moderate), indicating that the impact is primarily on availability. There is no impact on confidentiality or integrity.

An attacker can exploit this vulnerability locally without privileges but requires user interaction to trigger the crash by providing a specially crafted string literal.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes a stack-based buffer overflow in the ubasic interpreter when processing string literals longer than the buffer limit, resulting in a crash (SIGABRT). Detection can involve monitoring for crashes or abnormal termination of the bacnet-stack ubasic interpreter component when handling string inputs.

A proof-of-concept triggers the overflow by loading a script containing a string literal of length 41 characters (40 valid characters plus one extra). Thus, testing with such input strings can help detect the vulnerability.

Since the vulnerability is local and requires user interaction, detection commands could include running the ubasic interpreter with crafted scripts containing long string literals to observe if it crashes.

• Run the ubasic interpreter with a script containing a string literal longer than 40 characters to see if it crashes with SIGABRT.
• Monitor system logs for SIGABRT signals or crashes related to the bacnet-stack ubasic interpreter.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating the bacnet-stack project to a version where the vulnerability is fixed, specifically versions 1.4.3 or later and 1.5.0.rc3 or later.

The fix includes correcting off-by-one buffer overflows in the tokenizer_string and tokenizer_label functions, replacing unsafe string functions with safe ones like snprintf(), zero-initializing buffers, and adding proper null termination.

If updating is not immediately possible, avoid processing string literals longer than 40 characters in the ubasic interpreter to prevent triggering the overflow.

• Upgrade bacnet-stack to version 1.4.3, 1.5.0.rc3, or later where the vulnerability is patched.
• Avoid using or processing scripts with string literals exceeding 40 characters in the ubasic interpreter.
• Monitor for crashes and apply patches as soon as they become available.

Useful 0 Not Useful 0