72 matches found
Out-of-bounds Read
Overview bacnet-stack is a None Affected versions of this package are vulnerable to Out-of-bounds Read. via the wpdecodeservicerequest function. An attacker can cause an out-of-bounds read and crash the application by sending a malformed WriteProperty request with a truncated APDU, which triggers...
Off-by-one Error
Overview bacnet-stack is a None Affected versions of this package are vulnerable to Off-by-one Error. via the tokenizerstring function. An attacker can cause a crash by providing a string literal longer than the buffer limit, which leads to a stack overflow when the function incorrectly writes a...
CVE-2026-26264 BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash DoS. The issue is in wp.c within...
CVE-2026-26264
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash DoS. The issue is in wp.c within...
CVE-2026-26264 BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash DoS. The issue is in wp.c within...
CVE-2026-26264 BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash DoS. The issue is in wp.c within...
CVE-2026-26264
The vulnerability CVE-2026-26264 affects the BACnet Stack C library (embedded systems). In wp_decode_service_request, decoding the optional priority context tag can cause apdu_len - apdu_size underflow if apdu_size > apdu_len for a malformed WriteProperty, leading to an out-of-bounds read and ...
CVE-2026-21878
The vulnerability CVE-2026-21878 affects BACnet Stack (open source C library) prior to version 1.5.0.rc3, due to lack of validation of user-provided file paths in the file-writing functionality. Affected code paths include apps/readfile/main.c and ports/posix/bacfile-posix.c. The issue allows wri...
CVE-2026-21878 BACnet Stack Improperly Limits Pathnames to a Restricted Directory
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary...
CVE-2026-21878 BACnet Stack Improperly Limits Pathnames to a Restricted Directory
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary...
CVE-2026-21878
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary...
CVE-2026-21878 BACnet Stack Improperly Limits Pathnames to a Restricted Directory
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary...
CVE-2026-21870
The CVE-2026-21870 affects the BACnet Protocol Stack library, specifically versions 1.4.2, 1.5.0.rc2 and earlier. The root cause is an off-by-one, stack-based buffer overflow in the ubasic interpreter’s tokenizer_string function. It mishandles null termination for maximum-length strings, writing ...
BACnet Stack 路径遍历漏洞
BACnet Stack is an open-source protocol stack for BACnet, suitable for embedded systems, Linux, MacOS, BSD, and Windows. Versions of BACnet Stack prior to 1.5.0.rc3 contained a path traversal vulnerability. This vulnerability stemmed from the lack of validation for the file writing function,...
PT-2026-8020
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash DoS. The issue is in wp.c within wp decode service...
BACnet Stack 缓冲区错误漏洞
BACnet Stack is an open-source protocol stack for BACnet, designed for use in embedded systems, Linux, MacOS, BSD, and Windows. Versions of BACnet Stack prior to 1.5.0rc4 and 1.4.3rc2 contain a buffer error vulnerability. This vulnerability arises from handling WriteProperty requests with incorre...
PT-2026-8019
Name of the Vulnerable Software and Affected Versions BACnet Stack versions prior to 1.5.0.rc3 Description The BACnet Stack software contains a flaw in its file writing functionality. Specifically, there is a lack of validation for user-supplied file paths, which could allow attackers to write...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the npduisexpectedreply function. An attacker can cause a crash or misroute replies by sending specially crafted PDUs that trigger out-of-bounds reads. Remediation A fix was pushed into the master branch but not y...
CVE-2025-66624
CVE-2025-66624 affects the BACnet Protocol Stack prior to 1.5.0.rc2. The npdu_is_expected_reply function indexes APDU bytes (request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4]) without validating existence, allowing out-of-bounds reads in tiny PDUs. This can cause an immediate crash (DoS) on A...
CVE-2025-66624 BACnet-stack MS/TP reply matcher OOB read
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access MAC layer communications services. Prior to 1.5.0.rc2, The npduisexpectedreply function in src/bacnet/npdu.c indexes requestpduoffset+2/3/5 and replypduoffset+1/2/4 without verifying that those APDU...