An off‑by‑one stack overflow occurs in the ubasic interpreter inside the BACnet Protocol Stack library; when a string literal longer than the 40‑byte buffer is parsed, the tokenizer writes a null byte past the end of the buffer, corrupting the stack and causing the process to abort with SIGABRT. The bug does not enable code execution or privilege escalation, but it reliably disrupts service by terminating the process that is handling BACnet messages. The impact is aligned with a moderate denial of service.

The vulnerability affects the BACnet Protocol Stack (bacnet-stack) library, particularly versions 1.4.2, 1.5.0 RC2, and earlier releases. Systems that incorporate these library versions in their BACnet applications are potentially affected. The stack uses a tokenizer function located in src/bacnet/basic/program/ubasic/tokenizer.c to process string literals, and the flaw is present in all releases until a newer version that corrects the null termination logic.

The CVSS score of 5.5 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation within the current time window, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to supply long string literals to the ubasic interpreter, which typically requires local access to the device or the ability to inject input into the application that uses the library. Because the flaw only causes a crash, the risk to confidentiality or integrity is minimal, but the denial of service may impact operational availability of BACnet devices or services. Overall, the risk is moderate with a low likelihood of exploitation in current threat environments.