FKIE_CVE-2026-21870

Vulnerability from fkie_nvd - Published: 2026-02-13 18:16 - Updated: 2026-02-18 18:49
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
References
security-advisories@github.comhttps://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465Patch
security-advisories@github.comhttps://github.com/bacnet-stack/bacnet-stack/pull/1196Patch
security-advisories@github.comhttps://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mxVendor Advisory, Exploit
Impacted products
Vendor Product Version
bacnetstack bacnet_stack *
bacnetstack bacnet_stack 1.5.0
bacnetstack bacnet_stack 1.5.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BF2BFCC-54CE-412E-947A-B5C834161829",
              "versionEndIncluding": "1.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."
    },
    {
      "lang": "es",
      "value": "La librer\u00eda de la pila de protocolo BACnet proporciona servicios de comunicaci\u00f3n de capa de aplicaci\u00f3n, capa de red y capa de acceso al medio (MAC) de BACnet. En las versiones 1.4.2, 1.5.0.rc2 y anteriores, un desbordamiento de b\u00fafer basado en pila por un byte en el int\u00e9rprete ubasic provoca un fallo (SIGABRT) al procesar literales de cadena m\u00e1s largos que el l\u00edmite del b\u00fafer. La funci\u00f3n tokenizer_string en src/bacnet/basic/program/ubasic/tokenizer.c maneja incorrectamente la terminaci\u00f3n nula para cadenas de longitud m\u00e1xima. Escribe un byte nulo en dest[40] cuando el tama\u00f1o del b\u00fafer es solo 40 (\u00edndices 0-39), desencadenando un desbordamiento de pila."
    }
  ],
  "id": "CVE-2026-21870",
  "lastModified": "2026-02-18T18:49:07.307",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-13T18:16:19.783",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-193"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.