CVE-2026-41502

Name of the Vulnerable Software and Affected Versions BACnet Stack versions prior to 1.4.3

Description An off-by-one out-of-bounds read exists in the ReadPropertyMultiple service decoder. Unauthenticated remote attackers can read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The issue occurs in the rpm decode object id() function, which validates that apdu len is less than 5 but subsequently accesses six byte positions (indices 0-5). A 5-byte input satisfies the length check but results in a 1-byte out-of-bounds read, which can cause crashes on embedded devices. This flaw is located in src/bacnet/rpm.c and affects deployments where the ReadPropertyMultiple confirmed service handler is enabled.

Recommendations Update to version 1.4.3. As a temporary workaround, disable the ReadPropertyMultiple confirmed service handler.