Nixpkgs security tracker
NIXPKGS-2026-0257
GitHub issue
published 4 months, 1 week ago
Permalink
CVE-2026-21870
5.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
References
Affected products
bacnet-stack
- ==<= 1.4.2
- ==>= 1.5.0.rc1, <= 1.5.0.rc2
Matching in nixpkgs
pkgs.bacnet-stack
BACnet open source protocol stack for embedded systems, Linux, and Windows
Package maintainers
-
@WhittlesJr Alex Whitt <alex.joseph.whitt@gmail.com>