BACnet Stack Vulnerability in Protocol Stack C Library for Embedded Systems
CVE-2026-26264

7.8HIGH

Key Information:

Vendor: Bacnet-stack
Status: Bacnet-stack
Vendor: CVE Published:; 13 February 2026

🔔 Create Bacnet-stack Vulnerability Alert

What is CVE-2026-26264?

The BACnet Stack is an open-source protocol stack designed for embedded systems. A significant vulnerability was identified in its handling of malformed WriteProperty requests, particularly in the wp.c file. This vulnerability stems from the improper validation of APDU size during the decoding process, which can lead to a length underflow when a malformed APDU is processed. As a result, this may trigger an out-of-bounds read, potentially causing a crash and resulting in a Denial of Service (DoS) condition. It is crucial for users to upgrade to version 1.5.0rc4 or 1.4.3rc2 to mitigate this risk.

Affected Version(s)

bacnet-stack >= 1.5.0rc1, < 1.5.0rc4 < 1.5.0rc1, 1.5.0rc4

bacnet-stack < 1.4.3rc2 < 1.4.3rc2

References

https://github.com/bacnet-stack/bacnet-stack/security/adv...

x_refsource_CONFIRM

https://github.com/bacnet-stack/bacnet-stack/commit/4cc80...

x_refsource_MISC

CVSS V4

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2026
Vulnerability Reserved
Feb 12, 2026

CVE-2026-26264 Data

JSON