CVE-2026-28253
Published: 12 March 2026
Summary
CVE-2026-28253 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-28253 is a Memory Allocation with Excessive Size Value vulnerability, classified under CWE-789, affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge. Published on 2026-03-12T18:16:23.370, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation would trigger excessive memory allocation, leading to a denial-of-service condition on the affected systems.
The CISA ICS Advisory ICSA-26-071-01, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01, provides further details on mitigation strategies for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11631
Vulnerability details
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes unauthenticated network exploitation of a memory allocation flaw (CWE-789) that directly produces resource exhaustion and DoS; this matches the definition of T1499.004 Application or System Exploitation under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the size and other parameters of network inputs to prevent excessive memory allocation requests from unauthenticated attackers.
Enforces predefined limits on memory resources to block exhaustion caused by oversized allocation attempts in Trane Tracer systems.
Implements denial-of-service protections specifically targeting resource exhaustion vulnerabilities like CWE-789 memory allocation flaws.