CVE-2025-66624
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacnetstack | bacnet_stack | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the BACnet Protocol Stack library before version 1.5.0.rc2. The npdu_is_expected_reply function reads certain bytes from request and reply PDUs without verifying if those bytes actually exist, leading to out-of-bounds reads. Specifically, bacnet_npdu_decode() can return an offset that allows tiny PDUs to pass version checks but then causes out-of-bounds memory reads. This can cause immediate crashes (denial of service) on protected builds or undefined behavior on unprotected builds.
How can this vulnerability impact me? :
The vulnerability can cause reliable denial of service (DoS) by crashing the application when processing certain BACnet PDUs. Although remote code execution is unlikely because only memory reads occur, the undefined behavior on unprotected builds could lead to mis-routing of replies, potentially disrupting communication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service symptoms in devices using the BACnet Stack version 1.5.0.rc1, especially when processing MS/TP DATA_EXPECTING_REPLY frames with very small (2-byte) NPDU payloads. A proof-of-concept involves sending a crafted DATA_EXPECTING_REPLY frame carrying a minimal 2-byte NPDU (e.g., bytes 01 04) on the MS/TP bus to trigger the out-of-bounds read and cause a crash on ASan/MPU builds. Detection commands would involve capturing and analyzing MS/TP traffic for such minimal NPDU frames or using AddressSanitizer-enabled builds to detect stack-buffer-overflow crashes at npdu.c:702. Specific commands are not provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the BACnet Stack to version 1.5.0.rc2 or later, where the vulnerability is fixed by adding strict bounds checks on the lengths of request and reply PDUs before accessing their contents. If upgrading is not immediately possible, monitoring and filtering MS/TP traffic to block or detect malformed DATA_EXPECTING_REPLY frames with minimal NPDU lengths (e.g., 2-byte NPDUs) may reduce risk. Additionally, using builds with AddressSanitizer or MPU enabled can help detect exploitation attempts by causing immediate crashes rather than undefined behavior. [1, 2]