Bacnet Stack
Monthly
Remote attackers can crash BACnet Stack-powered embedded devices (versions prior to 1.4.3) by sending malformed ReadPropertyMultiple (RPM) requests containing a 1-byte property payload with an extended tag marker (0xF9). The vulnerability triggers an out-of-bounds read in the RPM service decoder, causing denial-of-service on industrial building automation systems that use this open-source C library. Affects default configurations where ReadPropertyMultiple service is enabled. EPSS data and KEV status not available; no public exploit confirmed at time of analysis, though GitHub security advisory provides technical details that could facilitate reproduction.
Remote denial of service in BACnet Stack library versions before 1.4.3 allows unauthenticated attackers to crash embedded building automation devices by sending a malformed ReadPropertyMultiple request with a truncated object identifier. The off-by-one buffer read vulnerability triggers crashes on resource-constrained BACnet devices running the default-enabled RPM service handler. CVSS v4.0 scores this 8.7 (High) based on network attack vector and high availability impact, though no public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds read in BACnet Stack library versions before 1.4.3 allows unauthenticated remote attackers to crash embedded BACnet devices or disclose memory contents by sending malformed WritePropertyMultiple (WPM) service requests over BACnet/IP. The flaw affects building automation and industrial control systems using the vulnerable C library. No public exploit identified at time of analysis, though the CVSS v4.0 score of 8.7 reflects high availability impact and network-accessible attack surface with low complexity.
BACnet Stack prior to version 1.4.3 exhibits undefined behavior in the decode_signed32() function when processing signed-integer property values containing bytes with the high bit set, causing denial of service through integer overflow. Network-remote attackers can trigger this vulnerability by sending specially crafted BACnet packets with high-bit-set byte sequences, resulting in application instability or crash on embedded systems running vulnerable versions. The vulnerability is confirmed fixed in version 1.4.3.
Unauthenticated remote attackers can crash BACnet Stack prior to versions 1.5.0rc4 and 1.4.3rc2 by sending a malformed WriteProperty request that triggers an integer underflow during APDU decoding, resulting in an out-of-bounds memory read. Public exploit code exists for this vulnerability. The issue affects embedded systems running vulnerable versions of the BACnet protocol stack library.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
The BACnet Protocol Stack library versions 1.4.2 and earlier contain an off-by-one buffer overflow in the ubasic interpreter's string tokenizer that crashes the application when processing oversized string literals. Public exploit code exists for this vulnerability, which affects any system running vulnerable versions of the BACnet Stack or Stack Overflow products. An attacker with local access and user interaction can trigger a denial of service condition through a specially crafted input string.
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.
Remote attackers can crash BACnet Stack-powered embedded devices (versions prior to 1.4.3) by sending malformed ReadPropertyMultiple (RPM) requests containing a 1-byte property payload with an extended tag marker (0xF9). The vulnerability triggers an out-of-bounds read in the RPM service decoder, causing denial-of-service on industrial building automation systems that use this open-source C library. Affects default configurations where ReadPropertyMultiple service is enabled. EPSS data and KEV status not available; no public exploit confirmed at time of analysis, though GitHub security advisory provides technical details that could facilitate reproduction.
Remote denial of service in BACnet Stack library versions before 1.4.3 allows unauthenticated attackers to crash embedded building automation devices by sending a malformed ReadPropertyMultiple request with a truncated object identifier. The off-by-one buffer read vulnerability triggers crashes on resource-constrained BACnet devices running the default-enabled RPM service handler. CVSS v4.0 scores this 8.7 (High) based on network attack vector and high availability impact, though no public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds read in BACnet Stack library versions before 1.4.3 allows unauthenticated remote attackers to crash embedded BACnet devices or disclose memory contents by sending malformed WritePropertyMultiple (WPM) service requests over BACnet/IP. The flaw affects building automation and industrial control systems using the vulnerable C library. No public exploit identified at time of analysis, though the CVSS v4.0 score of 8.7 reflects high availability impact and network-accessible attack surface with low complexity.
BACnet Stack prior to version 1.4.3 exhibits undefined behavior in the decode_signed32() function when processing signed-integer property values containing bytes with the high bit set, causing denial of service through integer overflow. Network-remote attackers can trigger this vulnerability by sending specially crafted BACnet packets with high-bit-set byte sequences, resulting in application instability or crash on embedded systems running vulnerable versions. The vulnerability is confirmed fixed in version 1.4.3.
Unauthenticated remote attackers can crash BACnet Stack prior to versions 1.5.0rc4 and 1.4.3rc2 by sending a malformed WriteProperty request that triggers an integer underflow during APDU decoding, resulting in an out-of-bounds memory read. Public exploit code exists for this vulnerability. The issue affects embedded systems running vulnerable versions of the BACnet protocol stack library.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
The BACnet Protocol Stack library versions 1.4.2 and earlier contain an off-by-one buffer overflow in the ubasic interpreter's string tokenizer that crashes the application when processing oversized string literals. Public exploit code exists for this vulnerability, which affects any system running vulnerable versions of the BACnet Stack or Stack Overflow products. An attacker with local access and user interaction can trigger a denial of service condition through a specially crafted input string.
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.