CVE-2026-28253 - Vulnerability Details

- Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

Description

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition

Published: 2026-03-12

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A memory allocation error allows an attacker without authentication to force the Trane Tracer family of controllers to crash or reboot, resulting in an interruption of HVAC services. The flaw arises from an unchecked size parameter during allocation, a classic uncontrolled memory allocation weakness classified as CWE-789. An attacker who can trigger the faulty allocation can cause a denial-of-service condition that disrupts normal building climate control operations and potentially leads to occupant discomfort or equipment damage.

Affected Systems

The vulnerability affects Trane's Tracer Concierge, Tracer SC, and Tracer SC+ products. Firmware versions listed in the Common Platform Enumeration include Trane Tracer SC firmware 4.4 with service packs 1 through 6, and the corresponding Tracer SC+ firmware. The vendor has issued a fix in Tracer SC+ version v6.30.2313, which supersedes earlier releases.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity, yet the EPSS score is below 1% and the issue is not catalogued in the CISA KEV list, indicating low current exploitation probability. The vulnerability can be triggered by any entity that can reach the control interface without authentication, implying a remote network attack vector, though the description does not specify the exact channel. An attacker could exploit it to bring the system down, causing significant operational disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Trane

Tracer SC

unaffected

Version	Status	Constraints
`0`	affected	< v4.4 SP7

Trane

Tracer SC+

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Trane

Tracer Concierge

unaffected

Version	Status	Constraints
`0`	affected	< v6.3.2310

Configuration 1 [-]

AND

OR	cpe:2.3:o:trane:tracer_sc_firmware::::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5::::::
	cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::

cpe:2.3:h:trane:tracer_sc:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:trane:tracer_sc\+_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:trane:tracer_sc\+:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:trane:tracer_concierge:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Trane

Tracer Concierge

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v4.4 SP7)`	affected	generic	—

Trane

Tracer Sc

100%

Version	Status	Scheme	Platform
`[0,v6.3.2310)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Trane has released the following versions of Tracer SC+ for users to upgrade to: * CVE-2026-28253: Tracer SC+ version v6.30.2313

OpenCVE Recommended Actions

Upgrade Tracer SC+ to version v6.30.2313
If upgrade cannot be performed immediately, disconnect the affected units from the network to prevent exploitation
Verify the firmware version to confirm it is not vulnerable before proceeding

Generated by OpenCVE AI on March 27, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01

History

Fri, 27 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
CPEs		cpe:2.3:a:trane:tracer_concierge:::::::: cpe:2.3:h:trane:tracer_sc:::::::: cpe:2.3:h:trane:tracer_sc\+:::::::: cpe:2.3:o:trane:tracer_sc\+_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:::::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack1:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack2:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack3:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack4:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack5:::::: cpe:2.3:o:trane:tracer_sc_firmware:4.4:service_pack6::::::
Vendors & Products		Trane tracer Sc\+ Trane tracer Sc\+ Firmware Trane tracer Sc Firmware
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trane Trane tracer Concierge Trane tracer Sc
Vendors & Products		Trane Trane tracer Concierge Trane tracer Sc

Thu, 12 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
Title		Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
Weaknesses		CWE-789
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Trane Tracer Concierge Tracer Sc Tracer Sc\+ Tracer Sc\+ Firmware Tracer Sc Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-12T17:27:03.567Z

Updated: 2026-03-13T16:25:47.523Z

Reserved: 2026-02-25T17:06:34.954Z

Link: CVE-2026-28253

Vulnrichment

Updated: 2026-03-13T16:25:38.350Z

NVD

Status : Analyzed

Published: 2026-03-12T18:16:23.370

Modified: 2026-03-27T16:24:06.553

Link: CVE-2026-28253

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:14Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object