Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0257

NIXPKGS-2026-0257
published on
Permalink CVE-2026-21870
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.

Affected products

bacnet-stack
  • ==>= 1.5.0.rc1, <= 1.5.0.rc2
  • ==<= 1.4.2

Matching in nixpkgs

pkgs.bacnet-stack

BACnet open source protocol stack for embedded systems, Linux, and Windows

Package maintainers

Upstream advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx
Upstream patch: https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465