Vulnerability Details CVE-2026-26264
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.9%
CVSS Severity
CVSS v3 Score 8.1
References
Products affected by CVE-2026-26264
-
cpe:2.3:a:bacnetstack:bacnet_stack:1.4.0
-
cpe:2.3:a:bacnetstack:bacnet_stack:1.4.1
-
cpe:2.3:a:bacnetstack:bacnet_stack:1.4.2
-
cpe:2.3:a:bacnetstack:bacnet_stack:1.4.3
-
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0