Cyber Posture

CVE-2026-41503

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0025 47.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41503 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely patching and remediation of the out-of-bounds read flaw fixed in BACnet Stack version 1.4.3.

SI-16 Memory Protection good match
prevent

Mandates memory protection mechanisms like bounds checking to prevent out-of-bounds reads from crafted BACnet/IP packets causing crashes.

SI-10 Information Input Validation good match
prevent

Requires validation of BACnet protocol inputs in the ReadPropertyMultiple decoder to reject malformed property lists with truncated payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The remote out-of-bounds read in the BACnet RPM service decoder directly enables exploitation of a public-facing network service (T1190) and facilitates application/system exploitation causing crash-based denial of service (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an…

more

RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.

Deeper analysisAI

CVE-2026-41503 is an out-of-bounds read vulnerability in the BACnet Stack, an open-source C library protocol stack for embedded systems implementing the BACnet protocol. The issue affects versions prior to 1.4.3 and resides in the ReadPropertyMultiple (RPM) service property decoder at src/bacnet/rpm.c:344. Specifically, the rpm_decode_object_property() function calls the deprecated decode_tag_number_and_value() function, which lacks a buffer length parameter and reads blindly from the provided pointer. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) triggers a read one byte past the buffer end. The vulnerability impacts deployments enabling the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server. It is rated 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-125 (Out-of-bounds Read).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity by sending a malicious RPM request featuring a truncated property list. Successful exploitation causes the decoder to access memory beyond allocated buffer boundaries, resulting in crashes and denial-of-service on vulnerable embedded BACnet devices. No privileges, user interaction, or scope change are required, making it accessible to any network-adjacent adversary.

The GitHub security advisory (GHSA-5w2v-mwqj-pr2c) confirms the fix in BACnet Stack version 1.4.3, recommending immediate upgrades for affected deployments. Security practitioners should verify if ReadPropertyMultiple services are exposed and apply the patch, as the service is enabled by default.

Details

CWE(s)
CWE-125

Affected Products

bacnetstack
bacnet stack
1.5.0 · 1.4.0 — 1.4.3

CVEs Like This One

CVE-2026-26264Same product: Bacnetstack Bacnet Stack
CVE-2026-41475Same product: Bacnetstack Bacnet Stack
CVE-2026-41502Same product: Bacnetstack Bacnet Stack
CVE-2026-21878Same product: Bacnetstack Bacnet Stack
CVE-2026-3622Shared CWE-125
CVE-2026-32319Shared CWE-125
CVE-2026-41604Shared CWE-125
CVE-2026-32877Shared CWE-125
CVE-2026-35203Shared CWE-125
CVE-2026-30997Shared CWE-125

References