CVE-2026-21878
Arbitrary File Write in BACnet Stack File Handling
Publication date: 2026-02-13
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacnetstack | bacnet_stack | 1.5.0 |
| bacnetstack | bacnet_stack | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-21878 is a high-severity path traversal vulnerability in the BACnet Stack, an open source BACnet protocol stack C library for embedded systems. The vulnerability exists in the file writing functionality where user-provided file paths are not validated. This allows attackers to write files to arbitrary directories on the system.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerable code accepts file paths from users without blocking relative path components like ".." or absolute paths starting with "/". This lack of validation enables directory traversal attacks, allowing attackers to create or overwrite files outside the intended directories.'}, {'type': 'paragraph', 'content': 'The vulnerability affects source files apps/readfile/main.c and ports/posix/bacfile-posix.c and can be exploited without authentication or user interaction, via network access to BACnet AtomicWriteFile services.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including arbitrary file writes on the affected system, which can lead to system compromise.
- Attackers can overwrite critical configuration files or system files, potentially escalating privileges.
- It enables data manipulation by unauthorized parties.
- It can cause denial of service by corrupting essential files.
- Attackers may establish persistence by planting backdoors or malicious files.
The attack vector is network-based and requires no authentication or user interaction, making exploitation easier and more dangerous.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected file writes to arbitrary directories, especially files created outside the intended BACnet file directories.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to look for file creation or modification events involving suspicious paths containing directory traversal patterns such as ".." or absolute paths starting with "/".'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the BACnet AtomicWriteFile service accepting unvalidated file paths over the network, network traffic analysis tools can be used to inspect BACnet file write requests for suspicious file path parameters.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using Linux auditd to monitor file writes outside expected directories, e.g., audit rules to watch /tmp or other sensitive directories.'}, {'type': 'list_item', 'content': "Using find to locate recently created files with suspicious names or locations, e.g., `find / -type f -name '*pwned.txt' -o -name '*absolute_path.txt' -mtime -1`."}, {'type': 'list_item', 'content': 'Using network packet capture tools (tcpdump, Wireshark) to filter BACnet traffic and inspect file write requests for suspicious file paths.'}, {'type': 'list_item', 'content': 'Reviewing application logs for error messages or warnings related to file path validation failures if logging is enabled post-patch.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include applying the security patch that fixes the vulnerability by implementing strict file path validation.'}, {'type': 'list_item', 'content': 'Update BACnet Stack to version 1.5.0.rc3 or later, which includes the fix.'}, {'type': 'list_item', 'content': 'Implement path validation in the BACnet file writing functions to block directory traversal sequences like ".." and absolute paths starting with "/".'}, {'type': 'list_item', 'content': 'Use the provided validation function (e.g., `filename_path_valid`) to reject unsafe file paths before file operations.'}, {'type': 'list_item', 'content': 'Configure the system to restrict file writes to a whitelist of allowed directories (e.g., `/var/bacnet/files`).'}, {'type': 'list_item', 'content': 'Run BACnet processes under a dedicated user with limited filesystem permissions to reduce impact of potential exploitation.'}, {'type': 'list_item', 'content': 'Enable logging and auditing of file access attempts to detect and respond to suspicious activity.'}] [1, 2]