CVE-2026-26264 Overview
CVE-2026-26264 is a critical integer underflow vulnerability affecting the BACnet Stack, an open source BACnet protocol stack C library designed for embedded systems. The vulnerability exists in the WriteProperty request decoding functionality, where a malformed request can trigger a length underflow, leading to an out-of-bounds read and subsequent application crash resulting in a Denial of Service (DoS) condition.
Critical Impact
Attackers can remotely crash BACnet-enabled embedded systems and building automation controllers by sending specially crafted WriteProperty requests, potentially disrupting critical infrastructure and industrial control systems.
Affected Products
- BACnet Stack versions prior to 1.5.0rc4
- BACnet Stack versions prior to 1.4.3rc2
- BACnet Stack 1.5.0rc1, 1.5.0rc2, 1.5.0rc3, and 1.4.3rc1
Discovery Timeline
- 2026-02-13 - CVE-2026-26264 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-26264
Vulnerability Analysis
This vulnerability stems from improper validation when decoding the optional priority context tag in WriteProperty service requests. The flaw exists within the wp_decode_service_request function in wp.c and similarly in bacaction.c. When processing the APDU (Application Protocol Data Unit), the code calculates the remaining buffer size by subtracting apdu_size from apdu_len, but fails to validate that apdu_size is less than or equal to apdu_len before performing this subtraction.
The integer underflow occurs because unsigned integer arithmetic wraps around when the result would be negative. If a truncated or malformed APDU reaches the vulnerable code path, the subtraction apdu_len - apdu_size underflows, producing an extremely large positive value. This oversized value is then passed to bacnet_unsigned_context_decode, which attempts to read far beyond the allocated buffer boundaries.
Root Cause
The root cause is a classic integer underflow vulnerability caused by incorrect operand ordering in a subtraction operation. The developers mistakenly used apdu_len - apdu_size instead of the correct apdu_size - apdu_len when calculating the remaining buffer length for context tag decoding. This arithmetic error means that when apdu_size > apdu_len (which can occur with truncated packets), the unsigned subtraction wraps around to a very large value rather than producing an error or negative result.
Attack Vector
An attacker can exploit this vulnerability remotely over the network by sending a specially crafted BACnet WriteProperty request to any device running the vulnerable BACnet Stack library. The attack requires no authentication or user interaction, making it particularly dangerous for exposed building automation systems and industrial control environments.
The attacker would craft a malformed WriteProperty request with a truncated APDU that reaches the priority context tag decoding path. When the vulnerable code processes this malformed request, the integer underflow triggers an out-of-bounds read, causing the application to crash.
// Vulnerable code in wp.c - incorrect operand order
}
if ((unsigned)apdu_len < apdu_size) {
len = bacnet_unsigned_context_decode(
- &apdu[apdu_len], apdu_len - apdu_size, 4, &unsigned_value);
+ &apdu[apdu_len], apdu_size - apdu_len, 4, &unsigned_value);
if (len > 0) {
apdu_len += len;
if ((unsigned_value >= BACNET_MIN_PRIORITY) &&
Source: GitHub Commit
// Vulnerable code in bacaction.c - same pattern
apdu_len += len;
/* priority [5] Unsigned (1..16) OPTIONAL */
len = bacnet_unsigned_context_decode(
- &apdu[apdu_len], apdu_len - apdu_size, 5, &unsigned_value);
+ &apdu[apdu_len], apdu_size - apdu_len, 5, &unsigned_value);
if (len > 0) {
apdu_len += len;
if ((unsigned_value >= BACNET_MIN_PRIORITY) &&
Source: GitHub Commit
Detection Methods for CVE-2026-26264
Indicators of Compromise
- Unexpected crashes or restarts of BACnet-enabled devices and controllers
- Malformed BACnet WriteProperty requests with truncated APDUs appearing in network traffic
- Segmentation faults or access violation errors in logs related to wp_decode_service_request or bacnet_unsigned_context_decode functions
- Sudden unavailability of building automation or industrial control systems using BACnet protocol
Detection Strategies
- Deploy network intrusion detection systems (IDS) with rules to identify malformed BACnet WriteProperty requests with abnormal APDU lengths
- Implement BACnet protocol-aware deep packet inspection to detect truncated or malformed service requests
- Monitor system logs for crash reports and segmentation faults originating from BACnet Stack components
- Establish baseline network behavior for BACnet traffic and alert on anomalous patterns
Monitoring Recommendations
- Enable verbose logging on BACnet controllers and gateways to capture protocol-level errors
- Configure SIEM rules to correlate multiple BACnet device failures that could indicate active exploitation
- Implement network segmentation monitoring to detect unauthorized BACnet traffic from untrusted network segments
- Set up automated alerts for any BACnet device crashes or service interruptions
How to Mitigate CVE-2026-26264
Immediate Actions Required
- Upgrade BACnet Stack to version 1.5.0rc4 or 1.4.3rc2 immediately
- Isolate vulnerable BACnet devices behind firewalls and restrict network access to trusted sources only
- Review network segmentation to ensure BACnet traffic is not exposed to untrusted networks
- Implement network-level filtering to block malformed BACnet requests if patching is not immediately possible
Patch Information
The vulnerability has been fixed in BACnet Stack versions 1.5.0rc4 and 1.4.3rc2. The fix corrects the operand order in the subtraction operation from apdu_len - apdu_size to apdu_size - apdu_len, ensuring proper bounds checking before decoding context tags.
The security patch is available at the GitHub Commit. Additional details can be found in the GitHub Security Advisory.
Workarounds
- Implement network access control lists (ACLs) to restrict BACnet UDP port 47808 access to authorized systems only
- Deploy a BACnet-aware application firewall or protocol gateway that validates request integrity before forwarding
- Consider temporarily disabling WriteProperty service on critical devices if the functionality is not essential
- Use VPN or encrypted tunnels for any remote BACnet communications
# Configuration example - Restrict BACnet traffic using iptables
# Allow BACnet traffic only from trusted management network (example: 10.0.1.0/24)
iptables -A INPUT -p udp --dport 47808 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 47808 -j DROP
# Log blocked BACnet connection attempts
iptables -A INPUT -p udp --dport 47808 -j LOG --log-prefix "BACnet-BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
