The following versions of the BACnet Stack C library are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.6.x | ✅ |
| 1.5.x | ✅ |
| 1.4.x | ✅ |
| 1.3.x | ❌ |
| 1.2.x | ❌ |
| 1.1.x | ❌ |
| 1.0.x | ❌ |
| 0.9.x | ❌ |
| 0.8.x | ❌ |
| 0.7.x | ❌ |
| < 0.6.x | ❌ |
Vulnerabilites are disclosed to CVE or GHSA and a record is created to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Out-of-bounds read in lighting_command_decode (full APDU size passed to nested tag decoders) GHSA-9hq3-w3pc-8385. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1412.
WriteProperty(File_Size) can bypass read-only protection and expose uninitialized RAMFS tail bytes through AtomicReadFile GHSA-mwj7-2v5r-v934. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1411.
Replacing a RAMFS record with a shorter one via AtomicWriteFile(record-access) can trigger a heap out-of-bounds read GHSA-cf8g-hp9m-9fvv. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1408.
Consecutive AtomicWriteFile(record-access) appends can trigger a heap out-of-bounds read in the RAMFS file backend GHSA-32jj-x86x-w98w. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1408.
Remote unauthenticated DoS in Life_Safety_Zone PROP_ZONE_MEMBERS WriteProperty parsing GHSA-2c8x-f46r-8phh. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1410.
Remote Global-Buffer-Overflow Read in readpropm via Malformed ReadPropertyMultiple-ACK GHSA-3xxw-jfwm-rq9c. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1395.
Remote global-buffer-overflow in apps/router-ipv6/main.c routed APDU forwarding path GHSA-4p4w-m434-jrhj. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1392.
CVE-2026-58265 - Out-of-bounds read in BACnet/SC proprietary header-option decode (bvlc_sc_decode_proprietary_option) GHSA-j66x-fr38-r7m5. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1396.
Pre-auth OOB read in xy_color_decode (BACnetXYColor) via WriteGroup/WriteProperty GHSA-mmg6-p4pr-cj6h. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1386, #1387.
CVE-2026-52790 - bacnet_device.c stack-use-after-return in writable Device string properties GHSA-jr7p-rm2x-739x. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1375.
CVE-2026-52789 - Denial of Service (Infinite Loop) in handler_read_property_multiple via malformed RPM requests. GHSA-4rf9-4vgq-5gcw. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1374.
CVE-2026-52788 - Buffer overflows in bsc_node_parse_urls() (BACnet/SC Address Resolution ACK URL parser). GHSA-rf83-3rr5-v4mj. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1365.
CVE-2026-52786 - apps/epics: malicious ReadPropertyMultiple-ACK with excessive properties causes global-buffer-overflow in ProcessRPMData(). GHSA-c4q6-7827-mfg6. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1366, #1409.
CVE-2026-52787 - Global APDU transmit buffer out-of-bounds write in device.address-binding response encoding via address_list_encode() GHSA-4fgg-fghm-jm43. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1363.
CVE-2026-49990 - AtomicReadFile/AtomicWriteFile stream fileStartPosition validation flaw causes out-of-bounds read/write in RAM file backends. GHSA-8759-hx7g-94qx. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1362.
CVE-2026-47710 - Loop reference to long Structured View description causes stack-buffer-overflow. GHSA-2xm5-gjpc-9m6q. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1355.
CVE-2026-47711 - Stack buffer overflow in Loop internal ReadProperty path via Life_Safety_Zone accepted-modes property. GHSA-vrpm-9gm2-x552. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1354, #1355.
CVE-2026-47259 - Stack-based buffer overflow in Notification Class RemoveListElement recipient-list decoding. GHSA-9w9m-w7w5-rrv3. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1353.
CVE-2026-47258 - Stack-based buffer overflow in Notification Class AddListElement recipient-list decoding. GHSA-rjmv-3mcm-r83j. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1353.
CVE-2026-47257 - ReinitializeDevice ENDRESTORE can delete existing objects on an empty restore file and still return success. GHSA-x6pp-3pf3-f87r. Patched versions: 1.5.1, 1.6.0 Pull Request: #1352.
CVE-2026-49341 - Uncontrolled recursion in Timer object writeback path leads to remote server stack overflow. GHSA-7r8r-2rj2-5wvr. Patched versions: 1.5.1, 1.6.0 Pull Request: #1347
CVE-2026-47217 - Channel member self-reference causes uncontrolled recursion and stack overflow in default BACnet/IP server. GHSA-wjw5-q9g6-2764. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1345.
CVE-2026-46677 - Client-Side Out-of-Bounds Read in AtomicReadFile-ACK Record-Access Handling via RecordCount / fileData[] Mismatch. GHSA-rv5h-cxwq-q3mh. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.
CVE-2026-46676 - Uninitialized Value Use in AtomicReadFile-ACK Record-Access Encoder Causes Response Corruption and Conditional Information Disclosure GHSA-2fwp-32cj-g3x4 Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.
CVE-2026-46674 - Out-of-Bounds Read in AtomicWriteFile Record Decoder via Unbounded returnedRecordCount GHSA-8384-pwhh-cxjh Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.
CVE-2026-45341 - WriteProperty to Structured View subordinate-list causes NULL pointer dereference GHSA-fv2r-c2m2-7qhh Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1321.
CVE-2026-45265 - Atomic-Read-File RecordCount Stack-Based Out-of-Bounds Write GHSA-v3gx-mwrp-xvh5 Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1340.
CVE-2026-40279 -
Undefined-behavior signed left shift in decode_signed32()
GHSA-326g-j95f-gmxv
Patched versions: 1.5.0, 1.4.3
Pull Request: #1300
CVE-2026-41503 - Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser GHSA-5w2v-mwqj-pr2c Patched versions: 1.5.0, 1.4.3 Pull Request: #1244
CVE-2026-41502 - Off-by-One Out-of-Bounds Read in ReadPropertyMultiple Object ID Decoder GHSA-7545-3fpx-4xw3 Patched versions: 1.5.0, 1.4.3 Pull Request: #1244
CVE-2026-41475 - Out-of-Bounds Read in WritePropertyMultiple Decoder via Deprecated Tag Parser GHSA-cvv4-v3g6-4jmv Patched versions: 1.5.0, 1.4.3 Pull Request: #1244
CVE-2026-26264 - WriteProperty decoding length underflow leads to OOB read and crash GHSA-phjh-v45p-gmjj Patched versions: 1.5.0, 1.4.3 Pull Request: #1231
CVE-2026-21870 - Off-by-one Stack-based Buffer Overflow in tokenizer_string GHSA-pc83-wp6w-93mx Patched versions: 1.5.0, 1.4.3 Pull Request: #1196
CVE-2026-21878 - Improper Limitation of a Pathname to a Restricted Directory GHSA-p8rx-c26w-545j Patched versions: 1.5.0 Pull Request: #1197
CVE-2025-66624 - BACnet-stack MS/TP reply matcher OOB read GHSA-8wgw-5h6x-qgqg Patched versions: 1.5.0 Pull Request: #1178
CVE-2023-38341 - Multiple out-of-bounds accesses in bacerror code paths #81
CVE-2023-38340 - Out of bounds accesses in bacnet_npdu_decode #80
CVE-2023-38339 - Out of bounds jump in h_apdu.c:apdu_handler #79
CVE-2019-12480 - Invalid read in bacserv when decoding alarm tags #62
CVE-2018-10238 - Segmentation fault leading to denial of service #61
Privately discuss, fix, and publish information about security vulnerabilities in this library using Github Security Advisories: https://github.com/bacnet-stack/bacnet-stack/security/advisories/new
Alternatively, vulnerabilities can be reported using "issues" at Github. https://github.com/bacnet-stack/bacnet-stack/issues