What is the CVSS score of CVE-2026-26264?

CVE-2026-26264 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Bacnet Stack are affected by CVE-2026-26264?

A denial-of-service vulnerability in BACnet Stack could allow attackers to crash systems running affected versions, potentially disrupting building automation, HVAC, and industrial control operations…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26264?

Yes, a public proof-of-concept exploit is available for CVE-2026-26264. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-26264?

Within 24 hours: identify all systems and devices running affected BACnet Stack versions and assess their operational criticality. Within 7 days: apply available patches to non-production systems and validate functionality before production deployment. Within 30 days: complete patching of all production systems running vulnerable versions, with priority given to critical infrastructure and customer-facing services.

Bacnet Stack CVE-2026-26264

HIGH

Out-of-bounds Read (CWE-125)

2026-02-13 security-advisories@github.com

Denial Of Service Bacnet Stack

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

PoC Detected

Feb 18, 2026 - 18:48 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 18:48 nvd

Patch available

CVE Published

Feb 13, 2026 - 19:17 nvd

HIGH 8.1

DescriptionGitHub Advisory

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.

AnalysisAI

Unauthenticated remote attackers can crash BACnet Stack prior to versions 1.5.0rc4 and 1.4.3rc2 by sending a malformed WriteProperty request that triggers an integer underflow during APDU decoding, resulting in an out-of-bounds memory read. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send malformed BACnet WriteProperty request

Exploit

Trigger length underflow in wp_decode_service_request

Execution

Cause out-of-bounds read

Impact

Crash BACnet stack