BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
References
| Link | Resource |
|---|---|
| https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708 | Patch |
| https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj | Vendor Advisory Exploit |
Configurations
Configuration 1 (hide)
|
History
18 Feb 2026, 18:48
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708 - Patch | |
| References | () https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj - Vendor Advisory, Exploit | |
| First Time |
Bacnetstack bacnet Stack
Bacnetstack |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
| CPE | cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:* cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc3:*:*:*:*:*:* cpe:2.3:a:bacnetstack:bacnet_stack:1.4.3:rc1:*:*:*:*:*:* cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:* cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:* |
13 Feb 2026, 19:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-13 19:17
Updated : 2026-02-18 18:48
NVD link : CVE-2026-26264
Mitre link : CVE-2026-26264
CVE.ORG link : CVE-2026-26264
JSON object : View
Products Affected
bacnetstack
- bacnet_stack
CWE
CWE-125
Out-of-bounds Read