CVE-2026-28253
Received
Received - Intake
Memory Allocation Overflow in Trane Tracer Causes DoS
Publication date: 2026-03-12
Last updated on: 2026-03-27
Assigner: ICS-CERT
Description
Description
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trane | tracer_sc_firmware | to 4.4 (inc) |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc_firmware | 4.4 |
| trane | tracer_sc+_firmware | to 6.3.2310 (exc) |
| trane | tracer_concierge | to 6.3.2310 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
