ByteOS

Assigner-GitHub, Inc.

CVSS Score-7.8||HIGH

EPSS-0.05% / 15.59%

||

7 Day CHG~0.00%

Published-13 Feb, 2026 | 18:14

Updated-18 Feb, 2026 | 18:48

BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.

CWE ID-CWE-125

Out-of-bounds Read

CVE-2026-21878

Assigner-GitHub, Inc.

Assigner-GitHub, Inc.

CVSS Score-7.5||HIGH

EPSS-0.05% / 15.80%

||

7 Day CHG~0.00%

Published-13 Feb, 2026 | 18:10

Updated-18 Feb, 2026 | 18:49

BACnet Stack Improperly Limits Pathnames to a Restricted Directory

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2026-21870

Assigner-GitHub, Inc.

Assigner-GitHub, Inc.

CVSS Score-5.5||MEDIUM

EPSS-0.01% / 1.75%

||

7 Day CHG~0.00%

Published-13 Feb, 2026 | 17:58

Updated-18 Feb, 2026 | 18:49

The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.

CWE ID-CWE-193

Off-by-one Error

CVE-2025-66624

Assigner-GitHub, Inc.

Assigner-GitHub, Inc.

CVSS Score-7.5||HIGH

EPSS-0.08% / 23.79%

||

7 Day CHG+0.02%

Published-05 Dec, 2025 | 18:36

Updated-18 Feb, 2026 | 18:21

BACnet-stack MS/TP reply matcher OOB read

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.