CVE-2026-28253
Published: 12 March 2026
Summary
CVE-2026-28253 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes unauthenticated network exploitation of a memory allocation flaw (CWE-789) that directly produces resource exhaustion and DoS; this matches the definition of T1499.004 Application or System Exploitation under Endpoint Denial of Service.
NVD Description
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
Deeper analysisAI
CVE-2026-28253 is a Memory Allocation with Excessive Size Value vulnerability, classified under CWE-789, affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge. Published on 2026-03-12T18:16:23.370, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation would trigger excessive memory allocation, leading to a denial-of-service condition on the affected systems.
The CISA ICS Advisory ICSA-26-071-01, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01, provides further details on mitigation strategies for this vulnerability.
Details
- CWE(s)