Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Published: 2026-02-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (out‑of‑bounds read leading to crash)
Action: Patch
AI Analysis

Impact

The vulnerability is a length underflow in the WriteProperty decoder of the BACnet Stack library. A specially crafted WriteProperty request causes the decoder to subtract the actual packet size from the declared length, resulting in a negative value that underflows to a large positive number. The oversized value is then passed to the context decoder, triggering an out‑of‑bounds read and ultimately a crash, which translates into a denial‑of‑service condition. The weakness is classified as CWE‑125.

Affected Systems

Affected are installations of the open‑source BACnet Stack (bacnet-stack). Versions older than 1.5.0rc4 and 1.4.3rc2 are vulnerable, including the release candidates listed in the CPE data such as 1.4.3rc1, 1.5.0rc1 through rc3 and earlier baseline releases. Embedded devices or systems that serve as BACnet gateways or controllers and use these versions are at risk.

Risk and Exploitability

The base score of 7.8 indicates high severity. The EPSS score is below 1 %, suggesting that observed exploitation is rare, and the vulnerability is not yet in the KEV list. However, because the flaw can be triggered by sending a malformed WriteProperty request over the BACnet network, any device exposed to an untrusted network could be targeted. Successful exploitation leads to a crash, disrupting service but not permitting remote code execution or data disclosure. The core risk stems from the reliability assumption of protocol decoding; thus, a DoS can be manifested without privileged access.

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bacnet-stack library to version 1.5.0rc4 or later, or to 1.4.3rc2 or later, to eliminate the underflow bug.
  • If an upgrade cannot be applied immediately, replace or augment the protocol processing with a custom filter that validates that the incoming apdu_size does not exceed apdu_len before passing it to the BACnet decoder, preventing the underflow.
  • Continuously monitor embedded BACnet devices for abnormal crashes or service interruptions, and apply hot‑fixes or stable releases as soon as they become available.

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.4.3:rc1:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bacnetstack
Bacnetstack bacnet Stack
Vendors & Products Bacnetstack
Bacnetstack bacnet Stack

Fri, 13 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Title BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bacnetstack Bacnet Stack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T18:50:30.367Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26264

cve-icon Vulnrichment

Updated: 2026-02-13T18:50:05.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T19:17:31.143

Modified: 2026-02-18T18:48:15.177

Link: CVE-2026-26264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses