CVE-2026-21870

{"id": "CVE-2026-21870", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-13T18:16:19.783", "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-193"}]}], "descriptions": [{"lang": "en", "value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."}, {"lang": "es", "value": "La librer\u00eda de la pila de protocolo BACnet proporciona servicios de comunicaci\u00f3n de capa de aplicaci\u00f3n, capa de red y capa de acceso al medio (MAC) de BACnet. En las versiones 1.4.2, 1.5.0.rc2 y anteriores, un desbordamiento de b\u00fafer basado en pila por un byte en el int\u00e9rprete ubasic provoca un fallo (SIGABRT) al procesar literales de cadena m\u00e1s largos que el l\u00edmite del b\u00fafer. La funci\u00f3n tokenizer_string en src/bacnet/basic/program/ubasic/tokenizer.c maneja incorrectamente la terminaci\u00f3n nula para cadenas de longitud m\u00e1xima. Escribe un byte nulo en dest[40] cuando el tama\u00f1o del b\u00fafer es solo 40 (\u00edndices 0-39), desencadenando un desbordamiento de pila."}], "lastModified": "2026-02-18T18:49:07.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BF2BFCC-54CE-412E-947A-B5C834161829", "versionEndIncluding": "1.4.2"}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439"}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}