CVE-2026-41475 Overview
CVE-2026-41475 is an out-of-bounds read vulnerability in the BACnet Stack library, an open source BACnet protocol stack written in C for embedded systems. The vulnerability exists in the WritePropertyMultiple (WPM) service decoder, where the wpm_decode_object_property() function calls the deprecated decode_tag_number_and_value() function without performing proper bounds checking on the input buffer.
Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted BACnet/IP packet containing a truncated property payload. When processed by the vulnerable decoder, this causes the system to read 1-7 bytes past the end of the allocated buffer, potentially resulting in crashes or information disclosure on embedded BACnet devices.
Critical Impact
Remote unauthenticated attackers can cause denial of service or information disclosure on embedded building automation systems by sending malformed BACnet/IP packets.
Affected Products
- BACnet Stack versions prior to 1.4.3
- BACnet Stack version 1.5.0-rc1
- BACnet Stack version 1.5.0-rc2
- BACnet Stack version 1.5.0-rc3
Discovery Timeline
- 2026-04-24 - CVE-2026-41475 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41475
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read) and affects the WritePropertyMultiple service decoder in the BACnet Stack library. The issue arises from inadequate input validation when processing BACnet/IP packets.
When a truncated WPM request is received, the wpm_decode_object_property() function processes the incoming data using the deprecated decode_tag_number_and_value() function. This deprecated function lacks proper bounds checking, allowing the decoder to read beyond the allocated buffer boundaries when parsing malformed packets.
The vulnerability is particularly concerning for embedded BACnet devices commonly deployed in building automation systems (BAS), HVAC control systems, and industrial environments. These devices often operate on networks with limited security controls, making them susceptible to network-based attacks.
Root Cause
The root cause of this vulnerability is the use of the deprecated decode_tag_number_and_value() function within the wpm_decode_object_property() function. This deprecated function performs no bounds checking on the input buffer, trusting that the incoming data is well-formed. When an attacker provides a truncated property payload, the decoder continues reading past the allocated buffer, accessing 1-7 bytes of adjacent memory.
The lack of input validation before processing BACnet service requests compounds this issue, as malformed packets are not rejected at an earlier stage in the processing pipeline.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious BACnet/IP packet with a truncated property payload in the WritePropertyMultiple service request
- Sending the packet to a vulnerable BACnet device over UDP port 47808 (the standard BACnet/IP port)
- When the target device processes the malformed packet, the out-of-bounds read occurs
The vulnerability manifests in the WPM service decoder when processing truncated property payloads. The deprecated decode_tag_number_and_value() function reads tag data without validating buffer boundaries, causing 1-7 bytes to be read past the allocated buffer. This can result in application crashes or potential leakage of adjacent memory contents. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-41475
Indicators of Compromise
- Unexpected crashes or restarts of BACnet-enabled devices or services
- Malformed BACnet/IP packets with truncated WritePropertyMultiple service requests on UDP port 47808
- Memory access violations or segmentation faults in BACnet stack processes
- Unusual network traffic patterns targeting BACnet/IP ports
Detection Strategies
- Deploy network intrusion detection systems (IDS) with rules to detect malformed BACnet/IP packets
- Monitor BACnet devices for unexpected crashes, restarts, or error conditions
- Implement deep packet inspection for BACnet/IP traffic to identify truncated WPM requests
- Use application-level logging to capture and analyze BACnet service request processing errors
Monitoring Recommendations
- Enable verbose logging on BACnet controllers and gateways to capture protocol-level errors
- Implement network segmentation monitoring to detect unauthorized access to building automation networks
- Set up alerts for BACnet device availability and response time anomalies
- Deploy SentinelOne agents on systems running BACnet stack software for real-time threat detection
How to Mitigate CVE-2026-41475
Immediate Actions Required
- Update BACnet Stack to version 1.4.3 or later immediately
- If running version 1.5.0-rc1, 1.5.0-rc2, or 1.5.0-rc3, update to a patched release
- Isolate vulnerable BACnet devices on segmented networks until patching is complete
- Implement firewall rules to restrict access to BACnet/IP port 47808 from untrusted networks
Patch Information
The vulnerability has been fixed in BACnet Stack version 1.4.3. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed patch information and release notes, refer to the GitHub Security Advisory.
Workarounds
- Implement network segmentation to isolate BACnet devices from untrusted networks
- Deploy firewall rules to restrict BACnet/IP traffic (UDP 47808) to authorized management systems only
- Use VPN connections for remote BACnet device management
- Enable rate limiting on network devices to throttle potential attack traffic
# Example firewall rule to restrict BACnet/IP access (iptables)
iptables -A INPUT -p udp --dport 47808 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 47808 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
