CVE-2026-26264

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-26264
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26264.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26264
Aliases
  • GHSA-phjh-v45p-gmjj
Published
2026-02-13T18:14:30.232Z
Modified
2026-02-20T02:26:30.679229Z
Severity
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
Details

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wpdecodeservicerequest. When decoding the optional priority context tag, the code passes apdulen - apdusize to bacnetunsignedcontextdecode without validating that apdusize <= apdulen. If a truncated APDU reaches this path, apdulen - apdusize underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.

Database specific 
{
    "cwe_ids": [
        "CWE-125"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26264.json"
}
References

Affected packages

Git / github.com/bacnet-stack/bacnet-stack

Affected ranges

Type
GIT
Repo
https://github.com/bacnet-stack/bacnet-stack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708
Introduced
f332225b196aa66503faae64f92bef113fe89ab2
Fixed
4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708

Affected versions

bacnet-stack-1.*
bacnet-stack-1.4.0
bacnet-stack-1.4.1
bacnet-stack-1.4.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26264.json"
vanir_signatures 
[
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "334356809919514516432083377056186192478",
            "length": 1934.0
        },
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
        "signature_type": "Function",
        "id": "CVE-2026-26264-12a0c9e5",
        "target": {
            "file": "src/bacnet/wp.c",
            "function": "wp_decode_service_request"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "86935645793636965531492864868929223578",
                "160676028784636020757255129909871670989",
                "143096784000835583585817750725299034851",
                "7366191321794427393793293445976275140",
                "42782924848607664372544988191953447198",
                "156721549425965508338962098494346588975",
                "138478316628889352331007744282453055915",
                "304371974899924991137966159474120879367",
                "117476227685607305122797432547476514768",
                "150713335775850271077862886081866066851",
                "60116312716213668157356836762301870606",
                "36356640393317167282140015369004155823",
                "125854105733869574411570926856213136871",
                "184260120630533185176516308525856423078",
                "218403010877980967470103229806667359300",
                "285978267618684373263343832404305508489"
            ]
        },
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
        "signature_type": "Line",
        "id": "CVE-2026-26264-3590fc09",
        "target": {
            "file": "src/bacnet/bacaction.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "144957117682056278464691235336397467681",
            "length": 2878.0
        },
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
        "signature_type": "Function",
        "id": "CVE-2026-26264-497dd425",
        "target": {
            "file": "src/bacnet/bacaction.c",
            "function": "bacnet_action_command_decode"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "232179150040674916410609772041420062328",
                "229169931636287320737442881183971486617",
                "95419355892275642855107148329873999362",
                "125687697256170043151832906535162227021"
            ]
        },
        "source": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
        "signature_type": "Line",
        "id": "CVE-2026-26264-a2eaba25",
        "target": {
            "file": "src/bacnet/wp.c"
        }
    }
]