EUVD-2026-25624Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The vulnerability is in rpm_decode_object_id(), which checks apdu_len < 5 but then accesses all 6 byte positions (indices 0-5) - consuming 1 byte for the context tag, 4 bytes for the object ID, then reading apdu[5] for the opening tag check. A 5-byte input passes the length check but causes a 1-byte OOB read, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
AnalysisAI
Remote denial of service in BACnet Stack library versions before 1.4.3 allows unauthenticated attackers to crash embedded building automation devices by sending a malformed ReadPropertyMultiple request with a truncated object identifier. The off-by-one buffer read vulnerability triggers crashes on resource-constrained BACnet devices running the default-enabled RPM service handler. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Vulnerability requires the ReadPropertyMultiple (RPM) confirmed service handler to be enabled in the BACnet Stack application-this is the default configuration in bacnet-stack reference server implementations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk assessment reveals moderate priority despite the high CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the building automation network or with routable access to BACnet/IP services sends a specially crafted ReadPropertyMultiple request to an embedded BACnet controller running vulnerable bacnet-stack library code. The malicious packet contains a truncated 5-byte object identifier sequence that bypasses the apdu_len validation check but triggers an out-of-bounds read when rpm_decode_object_id() accesses the sixth byte position. … |
| Remediation | Upgrade BACnet Stack library to version 1.4.3 or later, which contains the vendor-released fix for the rpm_decode_object_id() bounds checking logic. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all BACnet devices and applications in your environment and confirm library versions (focus on building automation systems, HVAC controllers, and fire safety devices). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today