Skip to main content

BACnet Stack CVE-2026-38570

| EUVDEUVD-2026-34310 HIGH
Out-of-bounds Read (CWE-125)
2026-06-04 mitre GHSA-572j-c8jf-p9vv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.5
Analysis Generated
Jun 08, 2026 - 15:37 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
7.5 (HIGH)
CVE Published
Jun 04, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.

AnalysisAI

Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.

Technical ContextAI

BACnet Stack is an open-source implementation of the Building Automation and Control Networks (BACnet) protocol (ASHRAE/ANSI 135, ISO 16484-5), widely deployed in HVAC, lighting, access control, and other building management systems. The vulnerability sits in bacnet_tag_number_decode, a parsing routine responsible for decoding the application-layer tag numbers that prefix every BACnet APDU data element. CWE-125 (Out-of-bounds Read) indicates the function reads memory past the boundary of an input buffer - typically due to missing length checks when a malformed or truncated tag header is processed - which can dereference unmapped memory and crash the process handling BACnet/IP (UDP/47808) or BACnet/MSTP traffic.

RemediationAI

No vendor-released patch identified at time of analysis; the only references are the upstream repository and tracking issue https://github.com/bacnet-stack/bacnet-stack/issues/1270, so operators should monitor that issue for a fixed release and pull the upstream commit once merged. As compensating controls, restrict BACnet/IP (UDP/47808) and BACnet/MSTP traffic to trusted management VLANs and block it at the perimeter - BACnet should never be Internet-exposed; place a BACnet-aware firewall or BBMD that drops malformed APDUs in front of vulnerable devices, accepting that legitimate cross-subnet BACnet discovery may need explicit allowlisting. Where a device crash would disrupt life-safety or HVAC operations, plan for watchdog-driven auto-restart or process supervision so a single malformed packet does not produce sustained outage, and rate-limit unsolicited BACnet messages at the network edge.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-38570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy