CVE-2026-21878
Awaiting Analysis Awaiting Analysis - Queue
Arbitrary File Write in BACnet Stack File Handling

Publication date: 2026-02-13

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21878
EUVD
EUVD-2026-6026
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bacnetstack bacnet_stack 1.5.0
bacnetstack bacnet_stack 1.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-21878 is a high-severity path traversal vulnerability in the BACnet Stack, an open source BACnet protocol stack C library for embedded systems. The vulnerability exists in the file writing functionality where user-provided file paths are not validated. This allows attackers to write files to arbitrary directories on the system.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerable code accepts file paths from users without blocking relative path components like ".." or absolute paths starting with "/". This lack of validation enables directory traversal attacks, allowing attackers to create or overwrite files outside the intended directories.'}, {'type': 'paragraph', 'content': 'The vulnerability affects source files apps/readfile/main.c and ports/posix/bacfile-posix.c and can be exploited without authentication or user interaction, via network access to BACnet AtomicWriteFile services.'}] [1]

Impact Analysis

This vulnerability can have serious impacts including arbitrary file writes on the affected system, which can lead to system compromise.

  • Attackers can overwrite critical configuration files or system files, potentially escalating privileges.
  • It enables data manipulation by unauthorized parties.
  • It can cause denial of service by corrupting essential files.
  • Attackers may establish persistence by planting backdoors or malicious files.

The attack vector is network-based and requires no authentication or user interaction, making exploitation easier and more dangerous.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected file writes to arbitrary directories, especially files created outside the intended BACnet file directories.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to look for file creation or modification events involving suspicious paths containing directory traversal patterns such as ".." or absolute paths starting with "/".'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the BACnet AtomicWriteFile service accepting unvalidated file paths over the network, network traffic analysis tools can be used to inspect BACnet file write requests for suspicious file path parameters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using Linux auditd to monitor file writes outside expected directories, e.g., audit rules to watch /tmp or other sensitive directories.'}, {'type': 'list_item', 'content': "Using find to locate recently created files with suspicious names or locations, e.g., `find / -type f -name '*pwned.txt' -o -name '*absolute_path.txt' -mtime -1`."}, {'type': 'list_item', 'content': 'Using network packet capture tools (tcpdump, Wireshark) to filter BACnet traffic and inspect file write requests for suspicious file paths.'}, {'type': 'list_item', 'content': 'Reviewing application logs for error messages or warnings related to file path validation failures if logging is enabled post-patch.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include applying the security patch that fixes the vulnerability by implementing strict file path validation.'}, {'type': 'list_item', 'content': 'Update BACnet Stack to version 1.5.0.rc3 or later, which includes the fix.'}, {'type': 'list_item', 'content': 'Implement path validation in the BACnet file writing functions to block directory traversal sequences like ".." and absolute paths starting with "/".'}, {'type': 'list_item', 'content': 'Use the provided validation function (e.g., `filename_path_valid`) to reject unsafe file paths before file operations.'}, {'type': 'list_item', 'content': 'Configure the system to restrict file writes to a whitelist of allowed directories (e.g., `/var/bacnet/files`).'}, {'type': 'list_item', 'content': 'Run BACnet processes under a dedicated user with limited filesystem permissions to reduce impact of potential exploitation.'}, {'type': 'list_item', 'content': 'Enable logging and auditing of file access attempts to detect and respond to suspicious activity.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart