Cyber Resilience

CVE-2026-41503

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41503 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-41503 is an out-of-bounds read vulnerability in the BACnet Stack, an open-source C library protocol stack for embedded systems implementing the BACnet protocol. The issue affects versions prior to 1.4.3 and resides in the ReadPropertyMultiple (RPM) service property decoder at src/bacnet/rpm.c:344. Specifically, the rpm_decode_object_property() function calls the deprecated decode_tag_number_and_value() function, which lacks a buffer length parameter and reads blindly from the provided pointer. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) triggers a read one byte past the buffer end. The vulnerability impacts deployments enabling the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server. It is rated 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-125 (Out-of-bounds Read).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity by sending a malicious RPM request featuring a truncated property list. Successful exploitation causes the decoder to access memory beyond allocated buffer boundaries, resulting in crashes and denial-of-service on vulnerable embedded BACnet devices. No privileges, user interaction, or scope change are required, making it accessible to any network-adjacent adversary.

The GitHub security advisory (GHSA-5w2v-mwqj-pr2c) confirms the fix in BACnet Stack version 1.4.3, recommending immediate upgrades for affected deployments. Security practitioners should verify if ReadPropertyMultiple services are exposed and apply the patch, as the service is enabled by default.

EU & UK References

Vulnerability details

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an…

more

RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The remote out-of-bounds read in the BACnet RPM service decoder directly enables exploitation of a public-facing network service (T1190) and facilitates application/system exploitation causing crash-based denial of service (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26264Same product: Bacnetstack Bacnet Stack
CVE-2026-41475Same product: Bacnetstack Bacnet Stack
CVE-2026-41502Same product: Bacnetstack Bacnet Stack
CVE-2026-21878Same product: Bacnetstack Bacnet Stack
CVE-2026-40890Shared CWE-125
CVE-2026-21863Shared CWE-125
CVE-2026-33598Shared CWE-125
CVE-2026-32877Shared CWE-125
CVE-2026-4750Shared CWE-125
CVE-2026-3622Shared CWE-125

Affected Assets

bacnetstack
bacnet stack
1.5.0 · 1.4.0 — 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching and remediation of the out-of-bounds read flaw fixed in BACnet Stack version 1.4.3.

prevent

Mandates memory protection mechanisms like bounds checking to prevent out-of-bounds reads from crafted BACnet/IP packets causing crashes.

prevent

Requires validation of BACnet protocol inputs in the ReadPropertyMultiple decoder to reject malformed property lists with truncated payloads.

References