NIXPKGS-2026-0259

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-21878

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

BACnet Stack Improperly Limits Pathnames to a Restricted Directory

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.

References

https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j x_refsource_CONFIRM
https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3 x_refsource_MISC

Affected products

bacnet-stack

==< 1.5.0.rc3

Matching in nixpkgs

pkgs.bacnet-stack

BACnet open source protocol stack for embedded systems, Linux, and Windows

nixos-unstable 1.3.5
- nixpkgs-unstable 1.3.5
- nixos-unstable-small 1.3.5
nixos-25.11 1.3.5
- nixos-25.11-small 1.3.5
- nixpkgs-25.11-darwin 1.3.5

Package maintainers

@WhittlesJr Alex Whitt <alex.joseph.whitt@gmail.com>

Unclear from the advisory if it only impacts version >= 1.5.0.rc1 or not.

Upstream advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j
Upstream patch: https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0259

References

Affected products

Matching in nixpkgs

pkgs.bacnet-stack

Package maintainers