Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
Published: 2026-04-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Information Disclosure
Action: Patch
AI Analysis

Impact

Prior to version 1.4.3, the BACnet Stack library contained an out‑of‑bounds read in the RPM (ReadPropertyMultiple) property decoder. An attacker can send a BACnet/IP packet containing a truncated property list with a single‑byte payload that includes an extended tag marker (0xF9). The deprecated tag parser reads one byte beyond the input buffer, allowing the attacker to read memory that lies outside the allocated region or, if the read fails, causing the stack to crash. This flaw is categorized as CWE‑125 and can lead to data exposure or denial of service on embedded BACnet devices.

Affected Systems

The vulnerability affects the open‑source BACnet Stack project (identified as bacnet-stack:bacnet-stack) in all releases earlier than 1.4.3. Any deployment that has enabled the ReadPropertyMultiple confirmed service handler – enabled by default in the reference server – is potentially exposed.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating a high severity impact. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited active exploitation. Attackers can exploit the weakness remotely over the BACnet/IP network without authentication, sending a crafted message to trigger the overflow. Successful exploitation would allow an attacker to read memory contents beyond the buffer or to crash the stack, potentially interrupting critical building automation systems.

Generated by OpenCVE AI on April 28, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to BACnet Stack version 1.4.3 or later, which removes the vulnerable decoder logic.
  • If an upgrade is not immediately possible, disable the ReadPropertyMultiple service in the configuration to prevent processing of the vulnerable request.
  • Deploy network monitoring or rate limiting to detect abnormal BACnet/IP traffic, and restrict access to BACnet devices to trusted sources only.

Generated by OpenCVE AI on April 28, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Bacnetstack
Bacnetstack bacnet Stack
Vendors & Products Bacnetstack
Bacnetstack bacnet Stack

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
Title BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bacnetstack Bacnet Stack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:39:56.518Z

Reserved: 2026-04-20T18:18:50.680Z

Link: CVE-2026-41503

cve-icon Vulnrichment

Updated: 2026-04-27T13:39:33.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T20:16:28.697

Modified: 2026-04-28T15:30:15.907

Link: CVE-2026-41503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses