CVE-2026-26264
Out-of-Bounds Read in BACnet Stack Causes DoS Crash
Publication date: 2026-02-13
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacnetstack | bacnet_stack | 1.4.3 |
| bacnetstack | bacnet_stack | 1.5.0 |
| bacnetstack | bacnet_stack | 1.5.0 |
| bacnetstack | bacnet_stack | 1.5.0 |
| bacnetstack | bacnet_stack | From 1.4.0 (inc) to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26264 is a vulnerability in the BACnet Stack, an open source protocol stack C library used in embedded systems. The issue occurs when decoding a malformed WriteProperty request. Specifically, in the function wp_decode_service_request, the code calculates a length parameter as apdu_len - apdu_size without verifying that apdu_size is less than or equal to apdu_len. If a truncated or malformed APDU is processed, this subtraction underflows, resulting in a very large length value.
This causes an out-of-bounds read in memory, which can lead to a crash of the BACnet service, resulting in a denial of service (DoS). The root cause is a lack of proper validation of length fields during decoding, leading to CWE-125 (Out-of-bounds Read). The vulnerability was fixed by adding proper length underflow checks in the decoding functions.
How can this vulnerability impact me? :
This vulnerability can cause the BACnet service to crash when it processes a malformed WriteProperty request. An attacker can exploit this by sending a specially crafted truncated APDU to the vulnerable BACnet service, triggering an out-of-bounds read and causing the process to become unstable or crash.
The impact is a denial of service (DoS), which means the affected system or device running the BACnet stack may become unavailable or stop functioning correctly until it is restarted or patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service conditions in BACnet stack services when they receive malformed or truncated WriteProperty requests.
A proof-of-concept (PoC) was created using GCC with address sanitizer enabled to detect memory errors related to this vulnerability.
Detection involves sending malformed or truncated WriteProperty APDU packets to the BACnet service and observing if the service crashes or behaves unexpectedly.
- Use network packet crafting tools (e.g., Scapy) to send malformed WriteProperty APDU requests targeting the BACnet service.
- Run the BACnet stack binary under a memory error detector such as AddressSanitizer to catch out-of-bounds reads.
- Monitor system logs and service stability for crashes or denial of service symptoms after sending suspicious packets.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the BACnet stack to a patched version that fixes this vulnerability.
- Upgrade to BACnet stack version 1.5.0rc4 or later, or 1.4.3rc2 or later, where the length underflow checks have been properly secured.
- If upgrading is not immediately possible, consider implementing network-level filtering to block malformed or truncated WriteProperty APDU requests.
- Monitor BACnet services for crashes and restart them promptly to reduce downtime.