Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.
AnalysisAI
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Technical ContextAI
BACnet Stack is an open-source implementation of the Building Automation and Control Networks (BACnet) protocol (ASHRAE/ANSI 135, ISO 16484-5), widely deployed in HVAC, lighting, access control, and other building management systems. The vulnerability sits in bacnet_tag_number_decode, a parsing routine responsible for decoding the application-layer tag numbers that prefix every BACnet APDU data element. CWE-125 (Out-of-bounds Read) indicates the function reads memory past the boundary of an input buffer - typically due to missing length checks when a malformed or truncated tag header is processed - which can dereference unmapped memory and crash the process handling BACnet/IP (UDP/47808) or BACnet/MSTP traffic.
RemediationAI
No vendor-released patch identified at time of analysis; the only references are the upstream repository and tracking issue https://github.com/bacnet-stack/bacnet-stack/issues/1270, so operators should monitor that issue for a fixed release and pull the upstream commit once merged. As compensating controls, restrict BACnet/IP (UDP/47808) and BACnet/MSTP traffic to trusted management VLANs and block it at the perimeter - BACnet should never be Internet-exposed; place a BACnet-aware firewall or BBMD that drops malformed APDUs in front of vulnerable devices, accepting that legitimate cross-subnet BACnet discovery may need explicit allowlisting. Where a device crash would disrupt life-safety or HVAC operations, plan for watchdog-driven auto-restart or process supervision so a single malformed packet does not produce sustained outage, and rate-limit unsolicited BACnet messages at the network edge.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34310
GHSA-572j-c8jf-p9vv