diff --git a/CHANGELOG.md b/CHANGELOG.md
index 749e7322..fa8e80f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,10 +12,12 @@ The git repositories are hosted at the following sites:
 * https://bacnet.sourceforge.net/
 * https://github.com/bacnet-stack/bacnet-stack/
 
-## [Unreleased] - 2026-02-09
+## [Unreleased] - 2026-02-13
 
 ### Security
 
+* Secured decoding length underflow in wp_decode_service_request() and
+  bacnet_action_command_decode() which had similar issue. (#1231)
 * Secured Schedule_Weekly_Schedule_Set() the example schedule object
   by fixing stack buffer overflow. The memcpy was using
   sizeof(BACNET_WEEKLY_SCHEDULE) instead of sizeof(BACNET_DAILY_SCHEDULE),
diff --git a/src/bacnet/bacaction.c b/src/bacnet/bacaction.c
index c333e67e..64dbdf7e 100644
--- a/src/bacnet/bacaction.c
+++ b/src/bacnet/bacaction.c
@@ -464,7 +464,7 @@ int bacnet_action_command_decode(
     apdu_len += len;
     /* priority [5] Unsigned (1..16) OPTIONAL */
     len = bacnet_unsigned_context_decode(
-        &apdu[apdu_len], apdu_len - apdu_size, 5, &unsigned_value);
+        &apdu[apdu_len], apdu_size - apdu_len, 5, &unsigned_value);
     if (len > 0) {
         apdu_len += len;
         if ((unsigned_value >= BACNET_MIN_PRIORITY) &&
@@ -483,7 +483,7 @@ int bacnet_action_command_decode(
     }
     /* postDelay [6] Unsigned OPTIONAL */
     len = bacnet_unsigned_context_decode(
-        &apdu[apdu_len], apdu_len - apdu_size, 6, &unsigned_value);
+        &apdu[apdu_len], apdu_size - apdu_len, 6, &unsigned_value);
     if (len > 0) {
         apdu_len += len;
         if (entry) {
@@ -497,7 +497,7 @@ int bacnet_action_command_decode(
     }
     /* quitOnFailure [7] BOOLEAN */
     len = bacnet_boolean_context_decode(
-        &apdu[apdu_len], apdu_len - apdu_size, 7, &boolean_value);
+        &apdu[apdu_len], apdu_size - apdu_len, 7, &boolean_value);
     if (len > 0) {
         apdu_len += len;
         if (entry) {
@@ -508,7 +508,7 @@ int bacnet_action_command_decode(
     }
     /* writeSuccessful [8] BOOLEAN */
     len = bacnet_boolean_context_decode(
-        &apdu[apdu_len], apdu_len - apdu_size, 8, &boolean_value);
+        &apdu[apdu_len], apdu_size - apdu_len, 8, &boolean_value);
     if (len > 0) {
         apdu_len += len;
         if (entry) {
diff --git a/src/bacnet/wp.c b/src/bacnet/wp.c
index 0e0027ff..09b7bf28 100644
--- a/src/bacnet/wp.c
+++ b/src/bacnet/wp.c
@@ -277,7 +277,7 @@ int wp_decode_service_request(
     }
     if ((unsigned)apdu_len < apdu_size) {
         len = bacnet_unsigned_context_decode(
-            &apdu[apdu_len], apdu_len - apdu_size, 4, &unsigned_value);
+            &apdu[apdu_len], apdu_size - apdu_len, 4, &unsigned_value);
         if (len > 0) {
             apdu_len += len;
             if ((unsigned_value >= BACNET_MIN_PRIORITY) &&