Description
An unauthenticated remote attacker can crash a LOYTEC BACnet device by sending a malformed BACnetTimeSynchronization (or UTC-TimeSynchronization) packet containing an invalid month value. The crash occurs in bacdt_datetime_to_tod at address 0x9bd3cc due to an out-of-bounds array read against the bacdt_days_till_month lookup table.
The issue has been reported as CVE-2026-55732.
Impact
An unauthenticated attacker can repeatedly crash linx_a64.exe with malformed BACnet packets, causingdenial of service. Although the process is auto-restarted, linx_a64.exe provides core services beyond BACnet, so repeated crashes can disrupt multiple functions. After multiple crashes of the linx_a64.exe process, the device will fully reboot.
Mitigation
Upgrade to firmware version 8.4.20.

