Cyber Resilience

CVE-2026-28253

High

Published: 12 March 2026

Published
12 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28253 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Trane Tracer Sc Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-28253 is a Memory Allocation with Excessive Size Value vulnerability, classified under CWE-789, affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge. Published on 2026-03-12T18:16:23.370, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation would trigger excessive memory allocation, leading to a denial-of-service condition on the affected systems.

The CISA ICS Advisory ICSA-26-071-01, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01, provides further details on mitigation strategies for this vulnerability.

EU & UK References

Vulnerability details

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE describes unauthenticated network exploitation of a memory allocation flaw (CWE-789) that directly produces resource exhaustion and DoS; this matches the definition of T1499.004 Application or System Exploitation under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28255Same product: Trane Tracer Concierge
CVE-2026-28256Same product: Trane Tracer Concierge
CVE-2026-28254Same product: Trane Tracer Concierge
CVE-2026-28252Same product: Trane Tracer Concierge
CVE-2026-39312Shared CWE-789
CVE-2025-30211Shared CWE-789
CVE-2024-52791Shared CWE-789
CVE-2026-8485Shared CWE-789
CVE-2026-24158Shared CWE-789
CVE-2026-24146Shared CWE-789

Affected Assets

trane
tracer sc firmware
4.4 · ≤ 4.4
trane
tracer sc\+ firmware
≤ 6.3.2310
trane
tracer concierge
≤ 6.3.2310

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the size and other parameters of network inputs to prevent excessive memory allocation requests from unauthenticated attackers.

prevent

Enforces predefined limits on memory resources to block exhaustion caused by oversized allocation attempts in Trane Tracer systems.

preventdetect

Implements denial-of-service protections specifically targeting resource exhaustion vulnerabilities like CWE-789 memory allocation flaws.

References