Primary

Context

BACnet Stack Out-of-Bounds Read Vulnerability in WriteProperty Request Handling

Vulnerability

Patched

A length underflow vulnerability has been identified in the BACnet Stack library, specifically in versions prior to 1.5.0rc4 and 1.4.3rc2. The issue arises in the WriteProperty request handling, where the decoder fails to properly validate the length of the APDU. This flaw allows for a malformed or truncated APDU to cause an underflow, leading to an out-of-bounds read and a subsequent crash, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a process crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a malformed WriteProperty request that truncates the APDU. This can be done using a crafted BACnet message that exploits the length validation flaw in the 'wp_decode_service_request' function.

Remediation

Users can upgrade to BACnet Stack versions 1.5.0rc4 or 1.4.3rc2, where this vulnerability has been fixed.

Added: Feb 13, 2026, 8:11 PM

Updated: Feb 14, 2026, 2:13 AM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

6.2

remediation

7.7

relevance

3.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

6.2

remediation

7.7

relevance

3.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BACnet Stack Out-of-Bounds Read Vulnerability in WriteProperty Request Handling

Vulnerability

Impact

Reproduction

Remediation

Affected Products

BACnet Stack

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating