Skip to content

Security: stargieg/bacnet-stack-upstream

Security

SECURITY.md

Security Policy

Supported Versions

The following versions of the BACnet Stack C library are currently being supported with security updates.

Version Supported
1.6.x
1.5.x
1.4.x
1.3.x
1.2.x
1.1.x
1.0.x
0.9.x
0.8.x
0.7.x
< 0.6.x

Coordinated Vulnerability Disclosure

Vulnerabilites are disclosed to CVE or GHSA and a record is created to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Out-of-bounds read in lighting_command_decode (full APDU size passed to nested tag decoders) GHSA-9hq3-w3pc-8385. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1412.

WriteProperty(File_Size) can bypass read-only protection and expose uninitialized RAMFS tail bytes through AtomicReadFile GHSA-mwj7-2v5r-v934. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1411.

Replacing a RAMFS record with a shorter one via AtomicWriteFile(record-access) can trigger a heap out-of-bounds read GHSA-cf8g-hp9m-9fvv. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1408.

Consecutive AtomicWriteFile(record-access) appends can trigger a heap out-of-bounds read in the RAMFS file backend GHSA-32jj-x86x-w98w. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1408.

Remote unauthenticated DoS in Life_Safety_Zone PROP_ZONE_MEMBERS WriteProperty parsing GHSA-2c8x-f46r-8phh. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1410.

Remote Global-Buffer-Overflow Read in readpropm via Malformed ReadPropertyMultiple-ACK GHSA-3xxw-jfwm-rq9c. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1395.

Remote global-buffer-overflow in apps/router-ipv6/main.c routed APDU forwarding path GHSA-4p4w-m434-jrhj. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1392.

CVE-2026-58265 - Out-of-bounds read in BACnet/SC proprietary header-option decode (bvlc_sc_decode_proprietary_option) GHSA-j66x-fr38-r7m5. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1396.

Pre-auth OOB read in xy_color_decode (BACnetXYColor) via WriteGroup/WriteProperty GHSA-mmg6-p4pr-cj6h. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1386, #1387.

CVE-2026-52790 - bacnet_device.c stack-use-after-return in writable Device string properties GHSA-jr7p-rm2x-739x. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1375.

CVE-2026-52789 - Denial of Service (Infinite Loop) in handler_read_property_multiple via malformed RPM requests. GHSA-4rf9-4vgq-5gcw. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1374.

CVE-2026-52788 - Buffer overflows in bsc_node_parse_urls() (BACnet/SC Address Resolution ACK URL parser). GHSA-rf83-3rr5-v4mj. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1365.

CVE-2026-52786 - apps/epics: malicious ReadPropertyMultiple-ACK with excessive properties causes global-buffer-overflow in ProcessRPMData(). GHSA-c4q6-7827-mfg6. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1366, #1409.

CVE-2026-52787 - Global APDU transmit buffer out-of-bounds write in device.address-binding response encoding via address_list_encode() GHSA-4fgg-fghm-jm43. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1363.

CVE-2026-49990 - AtomicReadFile/AtomicWriteFile stream fileStartPosition validation flaw causes out-of-bounds read/write in RAM file backends. GHSA-8759-hx7g-94qx. Patched versions: 1.4.5, 1.5.1, 1.6.0 Pull Request: #1362.

CVE-2026-47710 - Loop reference to long Structured View description causes stack-buffer-overflow. GHSA-2xm5-gjpc-9m6q. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1355.

CVE-2026-47711 - Stack buffer overflow in Loop internal ReadProperty path via Life_Safety_Zone accepted-modes property. GHSA-vrpm-9gm2-x552. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1354, #1355.

CVE-2026-47259 - Stack-based buffer overflow in Notification Class RemoveListElement recipient-list decoding. GHSA-9w9m-w7w5-rrv3. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1353.

CVE-2026-47258 - Stack-based buffer overflow in Notification Class AddListElement recipient-list decoding. GHSA-rjmv-3mcm-r83j. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1353.

CVE-2026-47257 - ReinitializeDevice ENDRESTORE can delete existing objects on an empty restore file and still return success. GHSA-x6pp-3pf3-f87r. Patched versions: 1.5.1, 1.6.0 Pull Request: #1352.

CVE-2026-49341 - Uncontrolled recursion in Timer object writeback path leads to remote server stack overflow. GHSA-7r8r-2rj2-5wvr. Patched versions: 1.5.1, 1.6.0 Pull Request: #1347

CVE-2026-47217 - Channel member self-reference causes uncontrolled recursion and stack overflow in default BACnet/IP server. GHSA-wjw5-q9g6-2764. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1345.

CVE-2026-46677 - Client-Side Out-of-Bounds Read in AtomicReadFile-ACK Record-Access Handling via RecordCount / fileData[] Mismatch. GHSA-rv5h-cxwq-q3mh. Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.

CVE-2026-46676 - Uninitialized Value Use in AtomicReadFile-ACK Record-Access Encoder Causes Response Corruption and Conditional Information Disclosure GHSA-2fwp-32cj-g3x4 Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.

CVE-2026-46674 - Out-of-Bounds Read in AtomicWriteFile Record Decoder via Unbounded returnedRecordCount GHSA-8384-pwhh-cxjh Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1344.

CVE-2026-45341 - WriteProperty to Structured View subordinate-list causes NULL pointer dereference GHSA-fv2r-c2m2-7qhh Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1321.

CVE-2026-45265 - Atomic-Read-File RecordCount Stack-Based Out-of-Bounds Write GHSA-v3gx-mwrp-xvh5 Patched versions: 1.4.4, 1.5.1, 1.6.0 Pull Request: #1340.

CVE-2026-40279 - Undefined-behavior signed left shift in decode_signed32() GHSA-326g-j95f-gmxv Patched versions: 1.5.0, 1.4.3 Pull Request: #1300

CVE-2026-41503 - Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser GHSA-5w2v-mwqj-pr2c Patched versions: 1.5.0, 1.4.3 Pull Request: #1244

CVE-2026-41502 - Off-by-One Out-of-Bounds Read in ReadPropertyMultiple Object ID Decoder GHSA-7545-3fpx-4xw3 Patched versions: 1.5.0, 1.4.3 Pull Request: #1244

CVE-2026-41475 - Out-of-Bounds Read in WritePropertyMultiple Decoder via Deprecated Tag Parser GHSA-cvv4-v3g6-4jmv Patched versions: 1.5.0, 1.4.3 Pull Request: #1244

CVE-2026-26264 - WriteProperty decoding length underflow leads to OOB read and crash GHSA-phjh-v45p-gmjj Patched versions: 1.5.0, 1.4.3 Pull Request: #1231

CVE-2026-21870 - Off-by-one Stack-based Buffer Overflow in tokenizer_string GHSA-pc83-wp6w-93mx Patched versions: 1.5.0, 1.4.3 Pull Request: #1196

CVE-2026-21878 - Improper Limitation of a Pathname to a Restricted Directory GHSA-p8rx-c26w-545j Patched versions: 1.5.0 Pull Request: #1197

CVE-2025-66624 - BACnet-stack MS/TP reply matcher OOB read GHSA-8wgw-5h6x-qgqg Patched versions: 1.5.0 Pull Request: #1178

CVE-2023-38341 - Multiple out-of-bounds accesses in bacerror code paths #81

CVE-2023-38340 - Out of bounds accesses in bacnet_npdu_decode #80

CVE-2023-38339 - Out of bounds jump in h_apdu.c:apdu_handler #79

CVE-2019-12480 - Invalid read in bacserv when decoding alarm tags #62

CVE-2018-10238 - Segmentation fault leading to denial of service #61

Reporting a Vulnerability

Privately discuss, fix, and publish information about security vulnerabilities in this library using Github Security Advisories: https://github.com/bacnet-stack/bacnet-stack/security/advisories/new

Alternatively, vulnerabilities can be reported using "issues" at Github. https://github.com/bacnet-stack/bacnet-stack/issues

There aren't any published security advisories