Vulnerability Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The vulnerability is in rpm_decode_object_id(), which checks apdu_len < 5 but then accesses all 6 byte positions (indices 0-5) — consuming 1 byte for the context tag, 4 bytes for the object ID, then reading apdu[5] for the opening tag check. A 5-byte input passes the length check but causes a 1-byte OOB read, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bacnetstack | Bacnet Stack | >= 1.4.0, < 1.4.3 |
Related Weaknesses (CWE)
References
- https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-ExploitMitigationVendor Advisory
- https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-41502?
CVE-2026-41502 is a vulnerability with a CVSS score of 7.5 (HIGH). BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decode...
How severe is CVE-2026-41502?
CVE-2026-41502 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41502?
Check the references section above for vendor advisories and patch information. Affected products include: Bacnetstack Bacnet Stack.