Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for bacnet_stack by bacnetstack
CVE-2026-26264 (GCVE-0-2026-26264)
Vulnerability from nvd – Published: 2026-02-13 18:14 – Updated: 2026-02-13 18:50
VLAI?
Title
BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
Summary
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
>= 1.5.0rc1, < 1.5.0rc4
Affected: < 1.4.3rc2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26264",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:49:44.498242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:50:30.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0rc1, \u003c 1.5.0rc4"
},
{
"status": "affected",
"version": "\u003c 1.4.3rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out\u2011of\u2011bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size \u003c= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out\u2011of\u2011bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:14:30.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708"
}
],
"source": {
"advisory": "GHSA-phjh-v45p-gmjj",
"discovery": "UNKNOWN"
},
"title": "BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26264",
"datePublished": "2026-02-13T18:14:30.232Z",
"dateReserved": "2026-02-12T17:10:53.412Z",
"dateUpdated": "2026-02-13T18:50:30.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21878 (GCVE-0-2026-21878)
Vulnerability from nvd – Published: 2026-02-13 18:10 – Updated: 2026-02-13 18:53
VLAI?
Title
BACnet Stack Improperly Limits Pathnames to a Restricted Directory
Summary
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
< 1.5.0.rc3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21878",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:53:41.608462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:53:59.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0.rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack\u0027s file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:10:26.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3"
}
],
"source": {
"advisory": "GHSA-p8rx-c26w-545j",
"discovery": "UNKNOWN"
},
"title": "BACnet Stack Improperly Limits Pathnames to a Restricted Directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21878",
"datePublished": "2026-02-13T18:10:26.325Z",
"dateReserved": "2026-01-05T17:24:36.928Z",
"dateUpdated": "2026-02-13T18:53:59.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21870 (GCVE-0-2026-21870)
Vulnerability from nvd – Published: 2026-02-13 17:58 – Updated: 2026-02-13 18:19
VLAI?
Title
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
Severity ?
5.5 (Medium)
CWE
- CWE-193 - Off-by-one Error
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
<= 1.4.2
Affected: >= 1.5.0.rc1, <= 1.5.0.rc2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:19:25.750164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:19:36.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.4.2"
},
{
"status": "affected",
"version": "\u003e= 1.5.0.rc1, \u003c= 1.5.0.rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T17:58:37.205Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/pull/1196",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"
}
],
"source": {
"advisory": "GHSA-pc83-wp6w-93mx",
"discovery": "UNKNOWN"
},
"title": "The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21870",
"datePublished": "2026-02-13T17:58:37.205Z",
"dateReserved": "2026-01-05T16:44:16.368Z",
"dateUpdated": "2026-02-13T18:19:36.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66624 (GCVE-0-2025-66624)
Vulnerability from nvd – Published: 2025-12-05 18:36 – Updated: 2025-12-08 17:28
VLAI?
Title
BACnet-stack MS/TP reply matcher OOB read
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.
Severity ?
7.5 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
< 1.5.0.rc2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66624",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T17:28:35.179529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T17:28:39.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0.rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:36:26.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"
}
],
"source": {
"advisory": "GHSA-8wgw-5h6x-qgqg",
"discovery": "UNKNOWN"
},
"title": "BACnet-stack MS/TP reply matcher OOB read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66624",
"datePublished": "2025-12-05T18:36:26.280Z",
"dateReserved": "2025-12-05T15:18:02.788Z",
"dateUpdated": "2025-12-08T17:28:39.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51773 (GCVE-0-2023-51773)
Vulnerability from nvd – Published: 2023-12-25 00:00 – Updated: 2024-08-02 22:48
VLAI?
Summary
BACnet Stack before 1.3.2 has a decode function APDU buffer over-read in bacapp_decode_application_data in bacapp.c.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bacnet_protocol_stack_project:bacnet_protocol_stack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bacnet_protocol_stack",
"vendor": "bacnet_protocol_stack_project",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T19:17:47.911804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "CWE-126 Buffer Over-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T19:33:35.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://sourceforge.net/p/bacnet/bugs/85/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546/commits/c465412a076ca6c9ddf649612f2b4e1874d8dcb8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/compare/bacnet-stack-1.3.1...bacnet-stack-1.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack before 1.3.2 has a decode function APDU buffer over-read in bacapp_decode_application_data in bacapp.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-25T20:35:12.087Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://sourceforge.net/p/bacnet/bugs/85/"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546/commits/c465412a076ca6c9ddf649612f2b4e1874d8dcb8"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/blob/master/CHANGELOG.md"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/compare/bacnet-stack-1.3.1...bacnet-stack-1.3.2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51773",
"datePublished": "2023-12-25T00:00:00.000Z",
"dateReserved": "2023-12-25T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:48:11.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-26264 (GCVE-0-2026-26264)
Vulnerability from cvelistv5 – Published: 2026-02-13 18:14 – Updated: 2026-02-13 18:50
VLAI?
Title
BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash
Summary
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size <= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out‑of‑bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
>= 1.5.0rc1, < 1.5.0rc4
Affected: < 1.4.3rc2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26264",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:49:44.498242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:50:30.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0rc1, \u003c 1.5.0rc4"
},
{
"status": "affected",
"version": "\u003c 1.4.3rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out\u2011of\u2011bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size \u003c= apdu_len. If a truncated APDU reaches this path, apdu_len - apdu_size underflows, resulting in a large size being used for decoding and an out\u2011of\u2011bounds read. This vulnerability is fixed in 1.5.0rc4 and 1.4.3rc2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:14:30.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-phjh-v45p-gmjj"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4cc8067c86f26e2b08b2c8f4d27f8e07de4d4708"
}
],
"source": {
"advisory": "GHSA-phjh-v45p-gmjj",
"discovery": "UNKNOWN"
},
"title": "BACnet Stack WriteProperty decoding length underflow leads to OOB read and crash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26264",
"datePublished": "2026-02-13T18:14:30.232Z",
"dateReserved": "2026-02-12T17:10:53.412Z",
"dateUpdated": "2026-02-13T18:50:30.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21878 (GCVE-0-2026-21878)
Vulnerability from cvelistv5 – Published: 2026-02-13 18:10 – Updated: 2026-02-13 18:53
VLAI?
Title
BACnet Stack Improperly Limits Pathnames to a Restricted Directory
Summary
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
< 1.5.0.rc3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21878",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:53:41.608462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:53:59.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0.rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack\u0027s file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:10:26.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3"
}
],
"source": {
"advisory": "GHSA-p8rx-c26w-545j",
"discovery": "UNKNOWN"
},
"title": "BACnet Stack Improperly Limits Pathnames to a Restricted Directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21878",
"datePublished": "2026-02-13T18:10:26.325Z",
"dateReserved": "2026-01-05T17:24:36.928Z",
"dateUpdated": "2026-02-13T18:53:59.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21870 (GCVE-0-2026-21870)
Vulnerability from cvelistv5 – Published: 2026-02-13 17:58 – Updated: 2026-02-13 18:19
VLAI?
Title
The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow.
Severity ?
5.5 (Medium)
CWE
- CWE-193 - Off-by-one Error
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
<= 1.4.2
Affected: >= 1.5.0.rc1, <= 1.5.0.rc2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T18:19:25.750164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:19:36.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.4.2"
},
{
"status": "affected",
"version": "\u003e= 1.5.0.rc1, \u003c= 1.5.0.rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer than the buffer limit. The tokenizer_string function in src/bacnet/basic/program/ubasic/tokenizer.c incorrectly handles null termination for maximum-length strings. It writes a null byte to dest[40] when the buffer size is only 40 (indices 0-39), triggering a stack overflow."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T17:58:37.205Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-pc83-wp6w-93mx"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/pull/1196",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/1196"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/4e1176394a5ae50d2fd0b5790d9bff806dc08465"
}
],
"source": {
"advisory": "GHSA-pc83-wp6w-93mx",
"discovery": "UNKNOWN"
},
"title": "The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21870",
"datePublished": "2026-02-13T17:58:37.205Z",
"dateReserved": "2026-01-05T16:44:16.368Z",
"dateUpdated": "2026-02-13T18:19:36.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66624 (GCVE-0-2025-66624)
Vulnerability from cvelistv5 – Published: 2025-12-05 18:36 – Updated: 2025-12-08 17:28
VLAI?
Title
BACnet-stack MS/TP reply matcher OOB read
Summary
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.
Severity ?
7.5 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bacnet-stack | bacnet-stack |
Affected:
< 1.5.0.rc2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66624",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T17:28:35.179529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T17:28:39.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bacnet-stack",
"vendor": "bacnet-stack",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0.rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:36:26.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg"
},
{
"name": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"
}
],
"source": {
"advisory": "GHSA-8wgw-5h6x-qgqg",
"discovery": "UNKNOWN"
},
"title": "BACnet-stack MS/TP reply matcher OOB read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66624",
"datePublished": "2025-12-05T18:36:26.280Z",
"dateReserved": "2025-12-05T15:18:02.788Z",
"dateUpdated": "2025-12-08T17:28:39.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51773 (GCVE-0-2023-51773)
Vulnerability from cvelistv5 – Published: 2023-12-25 00:00 – Updated: 2024-08-02 22:48
VLAI?
Summary
BACnet Stack before 1.3.2 has a decode function APDU buffer over-read in bacapp_decode_application_data in bacapp.c.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bacnet_protocol_stack_project:bacnet_protocol_stack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bacnet_protocol_stack",
"vendor": "bacnet_protocol_stack_project",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T19:17:47.911804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "CWE-126 Buffer Over-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T19:33:35.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://sourceforge.net/p/bacnet/bugs/85/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546/commits/c465412a076ca6c9ddf649612f2b4e1874d8dcb8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bacnet-stack/bacnet-stack/compare/bacnet-stack-1.3.1...bacnet-stack-1.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BACnet Stack before 1.3.2 has a decode function APDU buffer over-read in bacapp_decode_application_data in bacapp.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-25T20:35:12.087Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://sourceforge.net/p/bacnet/bugs/85/"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/pull/546/commits/c465412a076ca6c9ddf649612f2b4e1874d8dcb8"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/blob/master/CHANGELOG.md"
},
{
"url": "https://github.com/bacnet-stack/bacnet-stack/compare/bacnet-stack-1.3.1...bacnet-stack-1.3.2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51773",
"datePublished": "2023-12-25T00:00:00.000Z",
"dateReserved": "2023-12-25T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:48:11.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}