Skip to main content

Tracer Sc Firmware CVE-2026-28253

HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-03-12 ics-cert@hq.dhs.gov
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 18:16 nvd
HIGH 8.7

DescriptionCVE.org

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition

Analysis

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted network request
Exploit
Trigger excessive memory allocation
Execution
Exhaust system memory
Impact
Cause denial-of-service

Vulnerability AssessmentAI

Exploitation No special conditions — remote unauthenticated exploitation against default configurations of Trane Tracer SC, Tracer SC+, and Tracer Concierge systems with network accessibility. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS score of 8.7 (HIGH). Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a malicious network packet with an oversized allocation parameter to a Trane building management system. The vulnerable memory allocation function processes this parameter without validation, allocating excessive memory and crashing the service, rendering the system unavailable.
Remediation Monitor vendor advisories for patches. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy