CVE-2026-38570
Description
bacnet_stack 1.3.1 has an out-of-bounds read in bacnet_tag_number_decode, leading to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
bacnet_stack 1.3.1 has an out-of-bounds read in bacnet_tag_number_decode, leading to a denial of service.
## Vulnerability bacnet_stack version 1.3.1 contains an out-of-bounds read vulnerability in the bacnet_tag_number_decode function. This vulnerability is triggered when processing a malformed UCOV or property-value payload, which allows an oversized extended application length to be accepted without proper validation against the remaining APDU bytes. This incorrect length is then passed to host_n_port_decode, which trusts the value and leads to the out-of-bounds read when bacnet_tag_number_decode is called [1].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted UCOV or property-value payload to a vulnerable instance of bacnet_stack. This payload must be designed to cause the bacapp_decode_application_data function to accept an oversized extended application length. The attacker does not require any specific network position or authentication, and no user interaction is needed for the vulnerability to be triggered.
Impact
Successful exploitation of this vulnerability allows an attacker to cause a denial of service by crashing the bacnet_stack application. The crash occurs due to an attempted read from an invalid memory address, as indicated by the AddressSanitizer: SEGV error message [1]. The scope of the compromise is limited to the denial of service on the affected system.
Mitigation
The vulnerability is fixed in versions of bacnet_stack after 1.3.1. Users are advised to update to a patched version. No specific patch release date is available, and no workarounds are disclosed in the available references. The project is actively maintained, and users should refer to the project's GitHub repository for the latest information [2].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A malformed UCOV/property-value payload allows an oversized extended application length to be accepted without proper verification, leading to an out-of-bounds read."
Attack vector
An attacker can send a crafted BACnet UCOV/APDU input to a vulnerable system. This input is designed to exploit a flaw in how the `bacapp_decode_application_data` function handles extended application lengths. The oversized length is then passed through subsequent decoding functions, ultimately causing a crash due to an out-of-bounds read in `bacnet_tag_number_decode` [ref_id=1].
Affected code
The vulnerability lies within the `bacapp_decode_application_data` function, which incorrectly handles oversized extended application lengths. This leads to issues in `bacapp_decode_data` and subsequently `host_n_port_decode`. The ultimate crash occurs in `bacnet_tag_number_decode` when it attempts to read beyond the allocated buffer due to the unchecked length [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on a fix. Remediation guidance would typically involve updating the affected software to a patched version once available. Until then, mitigating network access or input validation may be necessary.
Preconditions
- inputA malformed BACnet UCOV/property-value payload.
- networkThe attacker must be able to send network traffic to the vulnerable BACnet service.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.