CVE-2026-41475 Overview
CVE-2026-41475 is an out-of-bounds read vulnerability [CWE-125] in BACnet Stack, an open source BACnet protocol stack C library used in embedded building automation systems. The flaw exists in the WritePropertyMultiple (WPM) service decoder in versions prior to 1.4.3. An unauthenticated remote attacker can send a truncated WPM request over BACnet/IP to force the decoder to read 1–7 bytes past the end of the allocated buffer. The condition can crash embedded BACnet devices or disclose adjacent memory contents. The maintainers fixed the issue in release 1.4.3.
Critical Impact
A single crafted BACnet/IP packet sent by an unauthenticated attacker can crash embedded BACnet devices controlling HVAC, lighting, and physical access systems, disrupting building operations.
Affected Products
- BACnet Stack versions prior to 1.4.3
- BACnet Stack 1.5.0-rc1, 1.5.0-rc2, and 1.5.0-rc3 release candidates
- Embedded building automation devices integrating the vulnerable library
Discovery Timeline
- 2026-04-24 - CVE-2026-41475 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41475
Vulnerability Analysis
The vulnerability resides in wpm_decode_object_property(), the decoder responsible for parsing WritePropertyMultiple service requests in BACnet Stack. The function invokes the deprecated decode_tag_number_and_value() helper, which does not validate that enough bytes remain in the input buffer before reading tag and length fields. When the attacker truncates the property payload of an otherwise well-formed BACnet/IP packet, the decoder advances the read cursor past the end of the receive buffer.
The overread spans 1–7 bytes depending on the encoded tag class and length octet count. On constrained embedded targets, the adjacent memory may include stack canaries, neighboring network buffers, or heap metadata. Reading this memory can produce two outcomes: a crash when the read crosses an unmapped page boundary or memory protection unit region, or silent information disclosure when the bytes are reflected in subsequent protocol responses or logs.
Root Cause
The root cause is missing bounds checking in a tag decoding helper. decode_tag_number_and_value() was retained in the call path of the WPM decoder despite being marked deprecated for exactly this class of issue. The caller does not pre-validate the remaining buffer length against the minimum bytes required to decode a tag and value header.
Attack Vector
The attack vector is network-based and requires no authentication, no privileges, and no user interaction. BACnet/IP typically operates on UDP port 47808 and is frequently exposed on operational technology networks that interconnect with corporate LANs. An attacker with reachability to a vulnerable device sends a single crafted BACnet/IP datagram containing a WritePropertyMultiple request with a truncated property value field. The decoder dereferences past the buffer boundary during parsing.
No public proof-of-concept exploit code is available at the time of writing. Refer to the GitHub Security Advisory GHSA-cvv4-v3g6-4jmv for the maintainer's technical description and patch reference.
Detection Methods for CVE-2026-41475
Indicators of Compromise
- Unexpected restarts, watchdog resets, or communication loss on BACnet controllers handling WritePropertyMultiple requests
- Inbound BACnet/IP traffic on UDP 47808 from untrusted network segments or external sources
- Malformed or truncated WPM APDUs in BACnet protocol analyzer captures, particularly with property values shorter than declared
Detection Strategies
- Deploy network intrusion detection signatures that flag BACnet/IP packets where the WPM service payload length is inconsistent with the declared tag and value structure
- Inventory firmware and embedded software bills of materials to identify devices linking bacnet-stack versions below 1.4.3
- Capture and replay BACnet/IP traffic in a lab to verify whether suspect devices crash when receiving truncated WPM frames
Monitoring Recommendations
- Monitor operational technology network egress and ingress for any BACnet/IP traffic crossing trust boundaries
- Alert on repeated crashes, reboots, or BACnet device offline events in the building management system
- Log and review WritePropertyMultiple requests originating from non-engineering workstations or unfamiliar source addresses
How to Mitigate CVE-2026-41475
Immediate Actions Required
- Upgrade BACnet Stack to version 1.4.3 or later in all firmware images and rebuild affected embedded devices
- Block BACnet/IP traffic on UDP 47808 at perimeter and segmentation firewalls between IT and OT networks
- Restrict WritePropertyMultiple requests to known engineering workstations using BACnet Broadcast Management Device (BBMD) access lists where supported
Patch Information
The upstream fix is available in BACnet Stack release 1.4.3. The patch replaces the deprecated decode_tag_number_and_value() call in wpm_decode_object_property() with a bounds-checked decoder variant. Device vendors integrating the library must rebuild and redistribute firmware to downstream operators. Refer to the BACnet Stack Security Advisory GHSA-cvv4-v3g6-4jmv for commit details.
Workarounds
- Place vulnerable BACnet devices behind a BACnet-aware firewall or protocol gateway that validates APDU length consistency before forwarding
- Disable BACnet/IP routing across VLAN or site boundaries until patched firmware is available from the device vendor
- Apply strict allowlists restricting which source addresses may issue WritePropertyMultiple requests to field controllers
# Example firewall rule to restrict BACnet/IP to a management subnet
iptables -A INPUT -p udp --dport 47808 -s 10.20.30.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 47808 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
