CVE-2026-38570
Out-of-bounds Read in bacnet_stack
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacnet_stack | bacnet_stack | 1.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The vulnerability in bacnet_stack version 1.3.1 is an out-of-bounds read occurring in the function bacnet_tag_number_decode. It happens when a malformed UCOV or property-value payload with an oversized extended application length is processed without proper validation. This oversized length is trusted and propagated through several decoding functions, eventually causing an invalid memory read that leads to a segmentation fault and crash.
An attacker can exploit this remotely without authentication by sending specially crafted BACnet UCOV or APDU input, triggering the crash and causing a denial-of-service condition.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the affected system. Since the crash results from an invalid memory read, the system running bacnet_stack 1.3.1 can become unresponsive or stop functioning properly when it processes maliciously crafted BACnet messages.
Because the exploit can be triggered remotely without authentication, attackers can disrupt services or operations relying on the BACnet stack, potentially impacting building automation and control networks that use this library.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in applications using bacnet_stack 1.3.1, especially those related to BACnet UCOV or APDU inputs.
Specifically, the crash occurs due to an out-of-bounds read in the function bacnet_tag_number_decode triggered by malformed BACnet UCOV/property-value payloads with oversized extended application lengths.
Detection can involve using debugging or memory error detection tools such as AddressSanitizer to identify SEGV errors caused by invalid memory reads in bacnet_tag_number_decode.
On the network level, you can capture and analyze BACnet traffic for malformed UCOV or APDU packets with unusually large or malformed property values that could trigger the vulnerability.
- Use packet capture tools like Wireshark or tcpdump to filter BACnet traffic and inspect UCOV/property-value payloads.
- Run the vulnerable application under AddressSanitizer or similar memory error detection tools to catch segmentation faults.
- Monitor system logs and application crash reports for segmentation faults related to bacnet_tag_number_decode.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing exposure of vulnerable bacnet_stack 1.3.1 services to untrusted networks, as the vulnerability can be exploited remotely without authentication.
Restrict network access to BACnet services by using firewalls or network segmentation to limit incoming BACnet UCOV or APDU traffic from untrusted sources.
Monitor and block malformed BACnet packets that contain oversized extended application lengths or suspicious UCOV/property-value payloads.
Apply patches or upgrade to a fixed version of bacnet_stack once available to eliminate the out-of-bounds read vulnerability.