CVE-2026-38570: bacnet_stack Out-of-Bounds Read Denial of Service Vulnerability
CVE-2026-38570 is a denial-of-service vulnerability in bacnet_stack version 1.3.1 that stems from an out-of-bounds read flaw in the bacnet_tag_number_decode function. An attacker can trigger this flaw remotely without authentication to crash or hang systems running the vulnerable library, disrupting BACnet (Building Automation and Control Networks) operations. The vulnerability does not enable data theft or system compromise, but availability impact is significant in industrial and building automation environments where BACnet is critical infrastructure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The bacnet_tag_number_decode function in bacnet_stack 1.3.1 fails to properly validate memory boundaries before reading tag number data. This out-of-bounds read (CWE-125) can be triggered by a specially crafted BACnet message sent over the network. When the decoder attempts to read beyond allocated buffer space, it causes undefined behavior—typically a crash or service hang—that results in denial of service. The flaw requires no user interaction and no special privileges to exploit; any network-accessible BACnet service is vulnerable if it processes untrusted input through the affected decoder.
Business impact
Organizations running BACnet-based building automation, HVAC control, fire safety, or industrial facility management systems depend on continuous availability. An attacker exploiting this vulnerability can trigger outages that disrupt climate control, emergency systems response, production processes, or facility monitoring. In critical infrastructure or healthcare settings, such disruptions may have cascading consequences. Recovery requires restarting services and potentially manual system diagnostics. The lack of authentication requirements means any exposed BACnet endpoint is at risk.
Affected systems
The vulnerability directly affects applications and services that bundle or depend on bacnet_stack version 1.3.1. This includes BACnet protocol implementations, building management systems (BMS), and industrial control software that integrate this library. Any deployment of bacnet_stack 1.3.1 exposed to network traffic is vulnerable. Downstream products embedding this library should be inventoried; check with your BMS or control system vendors for patched or mitigated versions. bacnet_stack versions prior to 1.3.1 and versions after the fix are not affected.
Exploitability
Exploitability is high. The attack requires only network access to a BACnet service (typically UDP port 47808 or similar, depending on configuration) and does not require authentication, special privileges, or user interaction. An attacker can craft a malformed BACnet message and send it remotely to trigger the flaw. The barrier to exploitation is low—no complex social engineering, no privileged account compromise required. The CVSS vector (AV:N/AC:L/PR:N/UI:N/A:H) reflects this: network-accessible, low attack complexity, no privileges needed, resulting in high availability impact.
Remediation
Update bacnet_stack to a patched version. Verify with the bacnet_stack project (check github.com/bacnet-stack or official releases) for the version number that fixes CVE-2026-38570. Apply the patch to all systems and applications embedding the vulnerable 1.3.1 library. If immediate patching is not feasible, implement network segmentation to restrict BACnet traffic to trusted networks only, disable remote access to BACnet services if not operationally required, and monitor for suspicious or malformed BACnet messages. After patching, restart all dependent services and validate BACnet functionality in your deployment.
Patch guidance
1. Identify all systems running bacnet_stack 1.3.1 (check build logs, vendor documentation, or dependency manifests). 2. Consult the bacnet_stack project repository or vendor advisories for the specific patched version number that resolves CVE-2026-38570. 3. Test the patch in a non-production environment to confirm compatibility with your BACnet applications and control systems. 4. Schedule maintenance windows to deploy the update, as restarting services may briefly disrupt building or facility automation. 5. Post-patch, verify BACnet communication is restored and all dependent systems re-sync correctly. 6. Keep bacnet_stack and related libraries updated going forward to avoid future vulnerabilities.
Detection guidance
Monitor BACnet network traffic for malformed or truncated messages that trigger decoder errors or service crashes. Enable debug or error logging on BACnet services to capture bacnet_tag_number_decode failures. Watch for repeated service restarts or crashes correlated with network traffic spikes. Implement network IDS/IPS rules to detect anomalous BACnet protocol patterns or overly long tag number fields that could trigger the out-of-bounds read. Query logs for exceptions or segmentation faults in bacnet_stack-linked processes. If BACnet services are containerized or virtualized, monitor resource usage for abnormal terminations.
Why prioritize this
This vulnerability merits urgent attention because it affects core infrastructure systems (BACnet controls), requires no authentication to exploit, and is remotely triggerable. The HIGH CVSS score (7.5) reflects significant availability risk. Although not yet listed on CISA's Known Exploited Vulnerabilities catalog, the low barrier to weaponization means it should be patched promptly. Prioritize critical or safety-sensitive BACnet deployments (fire, HVAC in data centers, healthcare facilities) first, then remediate all other instances.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no authentication required (PR:N), no user interaction needed (UI:N), and high availability impact (A:H). The vulnerability does not affect confidentiality or integrity, so those scores are zero. The score reflects a readily exploitable flaw that causes service disruption but does not lead to data compromise or system control. The severity is justified by the criticality of BACnet-controlled infrastructure.
Frequently asked questions
Is bacnet_stack 1.3.1 still widely deployed?
bacnet_stack is a foundational open-source BACnet library used by many building automation platforms, industrial controllers, and embedded systems. Version 1.3.1 may still be embedded in deployed systems, legacy products, or devices with infrequent updates. Inventory your infrastructure through vendor documentation, build manifests, and dependency scans to determine exposure.
Can this vulnerability be exploited without sending a special network message?
No. The flaw is triggered only when bacnet_tag_number_decode processes a maliciously crafted BACnet tag number field in a network message. Passive observation or accidental misconfiguration will not trigger it. However, any attacker with network access to a BACnet endpoint can attempt exploitation, making network segmentation a key mitigation.
Will patching cause downtime to my BACnet systems?
Patching bacnet_stack typically requires restarting the affected service or application. This will cause brief interruption to BACnet-controlled systems (HVAC, lighting, fire safety, etc.). Plan patches during maintenance windows and coordinate with facility or operations teams. Some systems may support hot-reload or redundancy to minimize impact; verify with your vendor.
What should I do if I cannot patch immediately?
Implement immediate mitigations: restrict BACnet network access via firewall rules to trusted subnets only, disable remote management interfaces if not required, and enable detailed logging to detect exploitation attempts. Monitor BACnet services for crashes or restarts. Schedule patching as soon as possible, as these mitigations do not eliminate the underlying vulnerability.
This analysis is based on publicly available vulnerability data and industry best practices as of June 2026. Specific patch version numbers and vendor advisories should be verified directly with the bacnet_stack project and affected product vendors. The CVSS score and severity reflect the CVSS 3.1 standard and do not constitute a guarantee of exploitability or risk in any particular environment. Organizations should conduct their own risk assessment based on their network architecture, deployment of bacnet_stack, and criticality of affected systems. This page is for informational purposes and does not constitute professional security advice; consult your internal security team or a qualified third party before implementing any remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41278HIGHWaterfall WF-500 RX Host Out-of-Bounds Read Remote Code Execution
- CVE-2026-0076HIGHAndroid ResourceTypes.cpp Out-of-Bounds Read Privilege Escalation
- CVE-2026-10017HIGHChrome Sandbox Escape via Out-of-Bounds Read in Headless Mode
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10930HIGHChrome ANGLE Out-of-Bounds Read on macOS
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability