NIXPKGS-2026-0258

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-26264

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.

References

https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj x_refsource_CONFIRM
https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708 x_refsource_MISC

Affected products

bacnet-stack

==>= 1.5.0rc1, < 1.5.0rc4
==< 1.4.3rc2

Matching in nixpkgs

pkgs.bacnet-stack

BACnet open source protocol stack for embedded systems, Linux, and Windows

nixos-unstable 1.3.5
- nixpkgs-unstable 1.3.5
- nixos-unstable-small 1.3.5
nixos-25.11 1.3.5
- nixos-25.11-small 1.3.5
- nixpkgs-25.11-darwin 1.3.5

Package maintainers

@WhittlesJr Alex Whitt <alex.joseph.whitt@gmail.com>

Upstream advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj
Upstream patch: https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0258

References

Affected products

Matching in nixpkgs

pkgs.bacnet-stack

Package maintainers