Skip to main content

BACnet Stack CVE-2026-41475

| EUVD-2026-25621 HIGH
Out-of-bounds Read (CWE-125)
2026-04-24 GitHub_M
Buffer Overflow Information Disclosure Bacnet Stack
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 28, 2026 - 15:36 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 20:30 vuln.today
CVSS changed
Apr 24, 2026 - 20:22 NVD
8.7 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 20:15 euvd
EUVD-2026-25621
Analysis Generated
Apr 24, 2026 - 20:15 vuln.today
CVE Published
Apr 24, 2026 - 19:39 nvd
HIGH 8.7

DescriptionGitHub Advisory

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending a truncated WPM request. The vulnerability stems from wpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function, which performs no bounds checking on the input buffer. A crafted BACnet/IP packet with a truncated property payload causes the decoder to read 1-7 bytes past the end of the buffer, leading to crashes or information disclosure on embedded BACnet devices. This vulnerability is fixed in 1.4.3.

AnalysisAI

Out-of-bounds read in BACnet Stack library versions before 1.4.3 allows unauthenticated remote attackers to crash embedded BACnet devices or disclose memory contents by sending malformed WritePropertyMultiple (WPM) service requests over BACnet/IP. The flaw affects building automation and industrial control systems using the vulnerable C library. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan network for BACnet/IP services on UDP 47808
Delivery
Send crafted WPM request with truncated property payload
Exploit
Trigger out-of-bounds read in wpm_decode_object_property()
Execution
Crash target device or leak memory contents
Impact
Disrupt building automation operations
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires network connectivity to BACnet/IP service endpoints (UDP port 47808) on devices running bacnet-stack versions before 1.4.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS v4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation requiring no authentication or user interaction, with high availability impact (VA:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the building automation network or via compromised HVAC vendor remote access sends a crafted BACnet/IP packet containing a WritePropertyMultiple request with intentionally truncated property data to a vulnerable controller at UDP port 47808. The wpm_decode_object_property() function reads past the buffer boundary during tag parsing, causing the embedded device to crash and restart, disrupting climate control or access systems. …
Remediation Upgrade BACnet Stack library to version 1.4.3 or later, which replaces the deprecated decode_tag_number_and_value() function with bounds-checked parsing logic. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all deployed BACnet devices and systems using BACnet Stack library versions before 1.4.3 (request asset inventory from facilities/building management teams). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41475 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy