Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
BACnet Stack Can Crash Embedded Systems with Malicious Requests
CVE-2026-26264
Summary
A flaw in the BACnet Stack library for embedded systems can cause a system crash if it receives a specially crafted network message. This can happen when a device receives a malformed message that incorrectly reports its size, causing the system to try to read data outside its boundaries. To fix this issue, update to BACnet Stack version 1.5.0rc4 or 1.4.3rc2.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bacnetstack | bacnet_stack | > 1.4.0 , <= 1.4.3 | – |
| bacnetstack | bacnet_stack | 1.4.3 | – |
| bacnetstack | bacnet_stack | 1.5.0 | – |
| bacnetstack | bacnet_stack | 1.5.0 | – |
| bacnetstack | bacnet_stack | 1.5.0 | – |
Original title
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet st...
Original description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
nvd CVSS3.1
8.1
nvd CVSS4.0
7.8
Vulnerability type
CWE-125
Out-of-bounds Read
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026