CVE-2026-21870
📋 TL;DR
This CVE describes an off-by-one stack-based buffer overflow in the BACnet Protocol Stack library's ubasic interpreter. When processing string literals longer than the 40-byte buffer limit, the tokenizer_string function incorrectly writes a null byte beyond the buffer boundary, causing a crash (SIGABRT). This affects systems using BACnet for building automation and control communications.
💻 Affected Systems
- BACnet Protocol Stack library
📦 What is this software?
Bacnet Stack by Bacnetstack
Bacnet Stack by Bacnetstack
Bacnet Stack by Bacnetstack
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if an attacker can control the overflow to execute arbitrary code.
Likely Case
Denial of service through application crash (SIGABRT) when processing maliciously crafted BACnet packets.
If Mitigated
Application crash with limited impact if stack protections (ASLR, stack canaries) are enabled.
🎯 Exploit Status
Exploitation requires sending specially crafted BACnet packets to vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 4e1176394a5ae50d2fd0b5790d9bff806dc08465
Vendor Advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx
Restart Required: Yes
Instructions:
1. Update to the latest BACnet Protocol Stack version. 2. Rebuild and redeploy applications using the library. 3. Restart affected BACnet services.
🔧 Temporary Workarounds
Disable ubasic interpreter
allIf ubasic functionality is not required, disable it in the BACnet stack configuration.
Configure BACnet stack to disable ubasic interpreter support
Network segmentation
linuxIsolate BACnet networks from untrusted networks using firewalls.
iptables -A INPUT -p udp --dport 47808 -j DROP # Block BACnet port
🧯 If You Can't Patch
- Implement strict network access controls to limit BACnet traffic to trusted sources only.
- Deploy intrusion detection systems to monitor for anomalous BACnet packet patterns.
🔍 How to Verify
Check if Vulnerable:
Check if BACnet stack version is 1.4.2, 1.5.0.rc2, or earlier. Review application dependencies for vulnerable library versions.Check Version:
Check build configuration or source code for BACNET_STACK_VERSION defineVerify Fix Applied:
Verify the BACnet stack includes commit 4e1176394a5ae50d2fd0b5790d9bff806dc08465 or later.📡 Detection & Monitoring
Log Indicators:
- SIGABRT crashes in BACnet-related processes
- Stack trace references tokenizer_string function
Network Indicators:
- Unusual BACnet packet patterns with long string literals
- Traffic to UDP port 47808 (BACnet standard port)
SIEM Query:
process:name="bacnet*" AND signal:SIGABRT