CVE-2026-26264
Published: 13 February 2026
Summary
CVE-2026-26264 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause by requiring validation of information inputs like malformed WriteProperty APDUs to prevent length underflows and out-of-bounds reads.
Mandates timely flaw remediation, such as updating the BACnet Stack library to patched versions 1.5.0rc4 or 1.4.3rc2, eliminating the vulnerability.
Implements memory protections that mitigate the impact of out-of-bounds reads triggered by the length underflow, reducing confidentiality and availability risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of BACnet protocol handler via crafted APDU triggers OOB read and crash (CWE-125); directly maps to public-facing app exploitation (T1190) and application exploitation for endpoint DoS (T1499.004).
NVD Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash…
more
(DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Deeper analysisAI
CVE-2026-26264 is a length underflow vulnerability in the BACnet Stack, an open-source C library implementing the BACnet protocol for embedded systems. Affected versions are those prior to 1.5.0rc4 and 1.4.3rc2. The flaw occurs in the wp_decode_service_request function within wp.c, where a malformed WriteProperty request causes an underflow during decoding of the optional priority context tag. Specifically, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without checking if apdu_size <= apdu_len, leading to a truncated APDU producing a negative value that underflows to a large positive size. This triggers an out-of-bounds read, resulting in a crash and denial of service (DoS). The issue is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By sending a specially crafted, truncated WriteProperty request APDU, the attacker triggers the underflow, causing an out-of-bounds read that may disclose sensitive memory contents (high confidentiality impact, C:H) and crashes the application (high availability impact, A:H), enabling a DoS. No privilege escalation or integrity impact occurs (I:N, S:U).
The vulnerability is addressed in BACnet Stack releases 1.5.0rc4 and 1.4.3rc2, as detailed in the project's GitHub security advisory (GHSA-phjh-v45p-gmjj) and the fixing commit (4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708). Security practitioners should update affected embedded systems or BACnet implementations to these patched versions to mitigate the issue.
Details
- CWE(s)