CVE-2026-41502
Published: 24 April 2026
Summary
CVE-2026-41502 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to BACnet Stack version 1.4.3, which fixes the off-by-one OOB read in rpm_decode_object_id().
Requires validation of BACnet RPM request APDU lengths and object identifiers to block crafted truncated inputs that pass the apdu_len < 5 check but trigger the 6-byte access OOB read.
Protects embedded BACnet devices from denial-of-service crashes triggered by unauthenticated remote attackers sending crafted RPM requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The off-by-one out-of-bounds read in the BACnet RPM decoder directly enables remote exploitation causing application crashes and denial-of-service on affected devices.
NVD Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated buffer boundary…
more
by sending a crafted RPM request with a truncated object identifier. The vulnerability is in rpm_decode_object_id(), which checks apdu_len < 5 but then accesses all 6 byte positions (indices 0-5) — consuming 1 byte for the context tag, 4 bytes for the object ID, then reading apdu[5] for the opening tag check. A 5-byte input passes the length check but causes a 1-byte OOB read, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
Deeper analysisAI
CVE-2026-41502 is an off-by-one out-of-bounds read vulnerability in the BACnet Stack, an open-source C library protocol stack for embedded systems implementing the BACnet protocol. The issue resides in the ReadPropertyMultiple (RPM) service decoder, specifically the rpm_decode_object_id() function in src/bacnet/rpm.c. Prior to version 1.4.3, the function checks if apdu_len is less than 5 but then accesses six byte positions (indices 0-5), including a context tag, four bytes for the object ID, and apdu[5] for an opening tag check. A crafted five-byte input passes the length check but triggers a one-byte read past the allocated buffer boundary. This affects any deployment enabling the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server.
Unauthenticated remote attackers can exploit this vulnerability over the network by sending a specially crafted RPM request with a truncated object identifier. Successful exploitation causes a one-byte out-of-bounds read, which can lead to crashes or denial-of-service on vulnerable embedded BACnet devices. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high availability impact with no confidentiality or integrity effects, mapped to CWE-125 (Out-of-bounds Read) and CWE-193 (Off-by-one Error).
The vulnerability is fixed in BACnet Stack version 1.4.3. Security practitioners should update to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-4xw3.
Details
- CWE(s)