Rasird-Del

**Name of the Vulnerable Software and Affected Versions** BACnet Stack versions prior to 1.4.3 **Description** An out-of-bounds read exists in the WritePropertyMultiple service decoder. This occurs because the `wpm decode object property()` function calls the deprecated `decode tag number and value()` function, which lacks bounds checking on the input buffer. An unauthenticated remote attacker can send a crafted BACnet/IP packet with a truncated property payload to read 1-7 bytes beyond the allocated buffer boundaries, potentially leading to information disclosure or system crashes on embedded devices. **Recommendations** Update to version 1.4.3.

**Name of the Vulnerable Software and Affected Versions** BACnet Stack versions prior to 1.4.3 **Description** An off-by-one out-of-bounds read exists in the ReadPropertyMultiple service decoder. Unauthenticated remote attackers can read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The issue occurs in the `rpm decode object id()` function, which validates that `apdu len` is less than 5 but subsequently accesses six byte positions (indices 0-5). A 5-byte input satisfies the length check but results in a 1-byte out-of-bounds read, which can cause crashes on embedded devices. This flaw is located in src/bacnet/rpm.c and affects deployments where the ReadPropertyMultiple confirmed service handler is enabled. **Recommendations** Update to version 1.4.3. As a temporary workaround, disable the ReadPropertyMultiple confirmed service handler.

**Name of the Vulnerable Software and Affected Versions** BACnet Stack versions prior to 1.4.3 **Description** An out-of-bounds read exists in the ReadPropertyMultiple service property decoder. Unauthenticated remote attackers can read past allocated buffer boundaries by sending a ReadPropertyMultiple request with a truncated property list. This occurs because the `rpm decode object property()` function calls the deprecated `decode tag number and value()` function, which does not accept a buffer length parameter and reads blindly from the provided pointer. A crafted BACnet/IP packet containing a 1-byte property payload with an extended tag marker (0xF9) can cause the decoder to read 1 byte past the end of the buffer, potentially leading to crashes on embedded devices. This issue affects deployments that enable the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server. **Recommendations** Update to version 1.4.3. As a temporary workaround, disable the ReadPropertyMultiple confirmed service handler to minimize the risk of exploitation.