CVE-2026-26264
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Read in BACnet Stack Causes DoS Crash

Publication date: 2026-02-13

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26264
EUVD
EUVD-2026-6027
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
bacnetstack bacnet_stack 1.4.3
bacnetstack bacnet_stack 1.5.0
bacnetstack bacnet_stack 1.5.0
bacnetstack bacnet_stack 1.5.0
bacnetstack bacnet_stack From 1.4.0 (inc) to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26264 is a vulnerability in the BACnet Stack, an open source protocol stack C library used in embedded systems. The issue occurs when decoding a malformed WriteProperty request. Specifically, in the function wp_decode_service_request, the code calculates a length parameter as apdu_len - apdu_size without verifying that apdu_size is less than or equal to apdu_len. If a truncated or malformed APDU is processed, this subtraction underflows, resulting in a very large length value.

This causes an out-of-bounds read in memory, which can lead to a crash of the BACnet service, resulting in a denial of service (DoS). The root cause is a lack of proper validation of length fields during decoding, leading to CWE-125 (Out-of-bounds Read). The vulnerability was fixed by adding proper length underflow checks in the decoding functions.

Impact Analysis

This vulnerability can cause the BACnet service to crash when it processes a malformed WriteProperty request. An attacker can exploit this by sending a specially crafted truncated APDU to the vulnerable BACnet service, triggering an out-of-bounds read and causing the process to become unstable or crash.

The impact is a denial of service (DoS), which means the affected system or device running the BACnet stack may become unavailable or stop functioning correctly until it is restarted or patched.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service conditions in BACnet stack services when they receive malformed or truncated WriteProperty requests.

A proof-of-concept (PoC) was created using GCC with address sanitizer enabled to detect memory errors related to this vulnerability.

Detection involves sending malformed or truncated WriteProperty APDU packets to the BACnet service and observing if the service crashes or behaves unexpectedly.

  • Use network packet crafting tools (e.g., Scapy) to send malformed WriteProperty APDU requests targeting the BACnet service.
  • Run the BACnet stack binary under a memory error detector such as AddressSanitizer to catch out-of-bounds reads.
  • Monitor system logs and service stability for crashes or denial of service symptoms after sending suspicious packets.
Mitigation Strategies

The immediate mitigation step is to upgrade the BACnet stack to a patched version that fixes this vulnerability.

  • Upgrade to BACnet stack version 1.5.0rc4 or later, or 1.4.3rc2 or later, where the length underflow checks have been properly secured.
  • If upgrading is not immediately possible, consider implementing network-level filtering to block malformed or truncated WriteProperty APDU requests.
  • Monitor BACnet services for crashes and restart them promptly to reduce downtime.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart