CVE-2026-21870— The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-21870
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
Source: NVD (National Vulnerability Database)
Vulnerability Description
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
Off-by-one错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
BACnet Protocol Stack 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
BACnet Protocol Stack是一个适用于多种平台的,用于提供BACnet应用层、网络层和媒体访问(MAC)层通信服务的库。 BACnet Protocol Stack 1.4.2版本、1.5.0.rc2版本及之前版本存在安全漏洞,该漏洞源于ubasic解释器中存在差一栈缓冲区溢出,可能导致处理超长字符串字面量时崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| bacnet-stack | bacnet-stack | <= 1.4.2 | - |
II. Public POCs for CVE-2026-21870
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-21870
请登录查看更多情报信息。
Same Patch Batch · bacnet-stack · 2026-02-13 · 3 CVEs total
| CVE-2026-21878 | 7.5 HIGH | BACnet Stack Improperly Limits Pathnames to a Restricted Directory |
| CVE-2026-26264 | BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash |
IV. Related Vulnerabilities
Same product: bacnet-stack
- CVE-2026-41503
BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Pro - CVE-2026-41502
BACnet Stack: Off-by-One Out-of-Bounds Read in ReadPropertyM - CVE-2026-41475
BACnet Stack: Out-of-Bounds Read in WritePropertyMultiple De - CVE-2026-40279
BACnet Stack: Undefined-behavior signed left shift in `decod - CVE-2026-26264
BACnet Stack WriteProperty decoding length underflow leads t
Same vendor: bacnet-stack
- CVE-2026-41503
BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Pro - CVE-2026-41502
BACnet Stack: Off-by-One Out-of-Bounds Read in ReadPropertyM - CVE-2026-41475
BACnet Stack: Out-of-Bounds Read in WritePropertyMultiple De - CVE-2026-40279
BACnet Stack: Undefined-behavior signed left shift in `decod - CVE-2026-26264
BACnet Stack WriteProperty decoding length underflow leads t
V. Comments for CVE-2026-21870
No comments yet