CVE-2026-41475

CriticalPublic PoC

Published: 24 April 2026

Published

24 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0027 49.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending a truncated…

WPM request. The vulnerability stems from wpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function, which performs no bounds checking on the input buffer. A crafted BACnet/IP packet with a truncated property payload causes the decoder to read 1-7 bytes past the end of the buffer, leading to crashes or information disclosure on embedded BACnet devices. This vulnerability is fixed in 1.4.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the identified out-of-bounds read flaw in BACnet Stack by applying the version 1.4.3 patch.

SI-10 Information Input Validation good match

prevent

Mandates bounds checking and validation of BACnet/IP input buffers in the WritePropertyMultiple decoder to prevent processing truncated or malformed requests.

SI-16 Memory Protection good match

prevent

Implements runtime memory protections to detect and prevent unauthorized out-of-bounds reads beyond allocated buffers in the vulnerable decoder.

Security SummaryAI

CVE-2026-41475 is an out-of-bounds read vulnerability (CWE-125) affecting BACnet Stack, an open-source C library implementing the BACnet protocol for embedded systems, in versions prior to 1.4.3. The flaw resides in the WritePropertyMultiple (WPM) service decoder, where the wpm_decode_object_property() function calls the deprecated decode_tag_number_and_value() without performing bounds checks on the input buffer.

Unauthenticated remote attackers can exploit the vulnerability over the network by sending a crafted BACnet/IP packet containing a truncated WPM request with a malformed property payload. This triggers the decoder to read 1-7 bytes past the end of the allocated buffer, potentially causing application crashes (denial of service) or sensitive information disclosure from adjacent memory on vulnerable embedded BACnet devices. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

The vulnerability is fixed in BACnet Stack version 1.4.3. The GitHub security advisory (GHSA-cvv4-v3g6-4jmv) provides details on the patch, and security practitioners should prioritize updating affected systems to mitigate remote exploitation risks.

Details

CWE(s): CWE-125

Affected Products

bacnetstack

bacnet stack

1.5.0 · 1.4.0 — 1.4.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE describes unauthenticated remote exploitation of a public-facing BACnet/IP service (T1190) leading to application crashes via out-of-bounds read (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-cvv4-v3g6-4jmv
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-cvv4-v3g6-4jmv
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0