CVE-2026-41503

Name of the Vulnerable Software and Affected Versions BACnet Stack versions prior to 1.4.3

Description An out-of-bounds read exists in the ReadPropertyMultiple service property decoder. Unauthenticated remote attackers can read past allocated buffer boundaries by sending a ReadPropertyMultiple request with a truncated property list. This occurs because the rpm decode object property() function calls the deprecated decode tag number and value() function, which does not accept a buffer length parameter and reads blindly from the provided pointer. A crafted BACnet/IP packet containing a 1-byte property payload with an extended tag marker (0xF9) can cause the decoder to read 1 byte past the end of the buffer, potentially leading to crashes on embedded devices. This issue affects deployments that enable the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server.

Recommendations Update to version 1.4.3. As a temporary workaround, disable the ReadPropertyMultiple confirmed service handler to minimize the risk of exploitation.