CVE-2026-21870 (GCVE-0-2026-21870)
Vulnerability from cvelistv5 – Published: 2026-02-13 17:58 – Updated: 2026-02-13 18:19
VLAI
Title
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-193 - Off-by-one Error
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bacnet-stack/bacnet-stack/secu… | x_refsource_CONFIRM |
| https://github.com/bacnet-stack/bacnet-stack/pull/1196 | x_refsource_MISC |
| https://github.com/bacnet-stack/bacnet-stack/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
<= 1.4.2
Affected: >= 1.5.0.rc1, <= 1.5.0.rc2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:19:25.750164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:19:36.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.4.2"
},
{
"status": "affected",
"version": "\u003e= 1.5.0.rc1, \u003c= 1.5.0.rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T17:58:37.205Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/pull/1196",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"
}
],
"source": {
"advisory": "GHSA-pc83-wp6w-93mx",
"discovery": "UNKNOWN"
},
"title": "The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21870",
"datePublished": "2026-02-13T17:58:37.205Z",
"dateReserved": "2026-01-05T16:44:16.368Z",
"dateUpdated": "2026-02-13T18:19:36.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-21870",
"date": "2026-06-27",
"epss": "0.0024",
"percentile": "0.15064"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-21870\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-13T18:16:19.783\",\"lastModified\":\"2026-06-17T10:19:03.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.\"},{\"lang\":\"es\",\"value\":\"La librer\u00eda de la pila de protocolo BACnet proporciona servicios de comunicaci\u00f3n de capa de aplicaci\u00f3n, capa de red y capa de acceso al medio (MAC) de BACnet. En las versiones 1.4.2, 1.5.0.rc2 y anteriores, un desbordamiento de b\u00fafer basado en pila por un byte en el int\u00e9rprete ubasic provoca un fallo (SIGABRT) al procesar literales de cadena m\u00e1s largos que el l\u00edmite del b\u00fafer. La funci\u00f3n tokenizer_string en src/bacnet/basic/program/ubasic/tokenizer.c maneja incorrectamente la terminaci\u00f3n nula para cadenas de longitud m\u00e1xima. Escribe un byte nulo en dest[40] cuando el tama\u00f1o del b\u00fafer es solo 40 (\u00edndices 0-39), desencadenando un desbordamiento de pila.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"bacnet-stack\",\"product\":\"bacnet-stack\",\"versions\":[{\"version\":\"\u003c= 1.4.2\",\"status\":\"affected\"},{\"version\":\"\u003e= 1.5.0.rc1, \u003c= 1.5.0.rc2\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-13T18:19:25.750164Z\",\"id\":\"CVE-2026-21870\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-193\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.4.2\",\"matchCriteriaId\":\"3BF2BFCC-54CE-412E-947A-B5C834161829\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B47182E-6B7F-4C53-904A-EB37C9C0A439\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF491863-1A31-4A23-A6AC-DF7545FCAA48\"}]}]}],\"references\":[{\"url\":\"https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bacnet-stack/bacnet-stack/pull/1196\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21870\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-13T18:19:25.750164Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-13T18:19:31.816Z\"}}], \"cna\": {\"title\": \"The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string\", \"source\": {\"advisory\": \"GHSA-pc83-wp6w-93mx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bacnet-stack\", \"product\": \"bacnet-stack\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.4.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.5.0.rc1, \u003c= 1.5.0.rc2\"}]}], \"references\": [{\"url\": \"https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx\", \"name\": \"https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bacnet-stack/bacnet-stack/pull/1196\", \"name\": \"https://github.com/bacnet-stack/bacnet-stack/pull/1196\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465\", \"name\": \"https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-193\", \"description\": \"CWE-193: Off-by-one Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-13T17:58:37.205Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21870\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-13T18:19:36.183Z\", \"dateReserved\": \"2026-01-05T16:44:16.368Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-13T17:58:37.205Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…