CVE-2026-41475
Published: 24 April 2026
Summary
CVE-2026-41475 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the identified out-of-bounds read flaw in BACnet Stack by applying the version 1.4.3 patch.
Mandates bounds checking and validation of BACnet/IP input buffers in the WritePropertyMultiple decoder to prevent processing truncated or malformed requests.
Implements runtime memory protections to detect and prevent unauthorized out-of-bounds reads beyond allocated buffers in the vulnerable decoder.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes unauthenticated remote exploitation of a public-facing BACnet/IP service (T1190) leading to application crashes via out-of-bounds read (T1499.004).
NVD Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending a truncated…
more
WPM request. The vulnerability stems from wpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function, which performs no bounds checking on the input buffer. A crafted BACnet/IP packet with a truncated property payload causes the decoder to read 1-7 bytes past the end of the buffer, leading to crashes or information disclosure on embedded BACnet devices. This vulnerability is fixed in 1.4.3.
Deeper analysisAI
CVE-2026-41475 is an out-of-bounds read vulnerability (CWE-125) affecting BACnet Stack, an open-source C library implementing the BACnet protocol for embedded systems, in versions prior to 1.4.3. The flaw resides in the WritePropertyMultiple (WPM) service decoder, where the wpm_decode_object_property() function calls the deprecated decode_tag_number_and_value() without performing bounds checks on the input buffer.
Unauthenticated remote attackers can exploit the vulnerability over the network by sending a crafted BACnet/IP packet containing a truncated WPM request with a malformed property payload. This triggers the decoder to read 1-7 bytes past the end of the allocated buffer, potentially causing application crashes (denial of service) or sensitive information disclosure from adjacent memory on vulnerable embedded BACnet devices. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
The vulnerability is fixed in BACnet Stack version 1.4.3. The GitHub security advisory (GHSA-cvv4-v3g6-4jmv) provides details on the patch, and security practitioners should prioritize updating affected systems to mitigate remote exploitation risks.
Details
- CWE(s)