Bacnet Stack Security Vulnerabilities and Issues — Bacnet Stack CVE List

BacnetstackBacnet Stack

9 matches found

CVE•added 2023/12/25 12:0 a.m.•32 views

CVE-2023-51773

BACnet Stack before 1.3.2 is affected by a decode function APDU buffer over-read in bacapp_decode_application_data (bacapp.c). The vulnerability affects BACnet Stack prior to version 1.3.2 and can impact confidentiality and availability due to a buffer over-read. No explicit exploitation details ...

9.1CVSS7AI score0.00372EPSS

CVE•added 2026/02/13 6:14 p.m.•15 views

CVE-2026-26264

The vulnerability CVE-2026-26264 affects the BACnet Stack C library (embedded systems). In wp_decode_service_request, decoding the optional priority context tag can cause apdu_len - apdu_size underflow if apdu_size > apdu_len for a malformed WriteProperty, leading to an out-of-bounds read and ...

8.8CVSS5.6AI score0.00067EPSS

CVE•added 2026/04/24 7:41 p.m.•11 views

CVE-2026-41503

Technical details about CVE-2026-41503 are not publicly available in the provided documents. Monitor for updates from official advisories.

8.7CVSS5.7AI score0.00366EPSS

CVE•added 2026/02/13 5:58 p.m.•10 views

CVE-2026-21870

The CVE-2026-21870 affects the BACnet Protocol Stack library, specifically versions 1.4.2, 1.5.0.rc2 and earlier. The root cause is an off-by-one, stack-based buffer overflow in the ubasic interpreter’s tokenizer_string function. It mishandles null termination for maximum-length strings, writing ...

5.5CVSS6AI score0.00007EPSS

CVE•added 2025/12/05 6:36 p.m.•9 views

CVE-2025-66624

CVE-2025-66624 affects the BACnet Protocol Stack prior to 1.5.0.rc2. The npdu_is_expected_reply function indexes APDU bytes (request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4]) without validating existence, allowing out-of-bounds reads in tiny PDUs. This can cause an immediate crash (DoS) on A...

7.5CVSS6.4AI score0.00084EPSS

CVE•added 2026/04/24 7:40 p.m.•9 views

CVE-2026-41502

CVE-2026-41502 affects the BACnet Stack C library. The issue is an off-by-one out-of-bounds read in the rpm_decode_object_id() routine used by the ReadPropertyMultiple service decoder. It checks apdu_len

8.7CVSS5.7AI score0.00366EPSS

CVE•added 2026/04/21 4:29 p.m.•8 views

CVE-2026-40279

BACnet Stack (open-source C library for embedded systems) contains a defect in decode_signed32() in src/bacnet/bacint.c where reconstructing a 32-bit signed integer from four APDU bytes via signed left shifts can overflow signed int32_t when any byte has bit 7 set (>= 0x80). This undefined beh...

3.7CVSS5.8AI score0.00065EPSS

CVE•added 2026/04/24 7:39 p.m.•8 views

CVE-2026-41475

Summary: CVE-2026-41475 affects the BACnet Stack library. Prior to version 1.4.3, the WritePropertyMultiple service decoder is vulnerable to an out-of-bounds read caused by wpm_decode_object_property() invoking the deprecated decode_tag_number_and_value() function, which performs no bounds checki...

9.1CVSS5.7AI score0.00392EPSS

CVE•added 2026/02/13 6:10 p.m.•7 views

CVE-2026-21878

The vulnerability CVE-2026-21878 affects BACnet Stack (open source C library) prior to version 1.5.0.rc3, due to lack of validation of user-provided file paths in the file-writing functionality. Affected code paths include apps/readfile/main.c and ports/posix/bacfile-posix.c. The issue allows wri...

7.5CVSS5.7AI score0.00106EPSS