The following versions of the BACnet Stack C library are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.5.x | ✅ |
| 1.4.x | ✅ |
| 1.3.x | ❌ |
| 1.2.x | ❌ |
| 1.1.x | ❌ |
| 1.0.x | ❌ |
| 0.9.x | ❌ |
| 0.8.x | ❌ |
| 0.7.x | ❌ |
| < 0.6.x | ❌ |
Vulnerabilites are disclosed to CVE or GHSA and a record is created to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Here are the published vulnerability records:
CVE-2026-46677 - Client-Side Out-of-Bounds Read in AtomicReadFile-ACK Record-Access Handling via RecordCount / fileData[] Mismatch GHSA-rv5h-cxwq-q3mh
CVE-2026-46676 - Uninitialized Value Use in AtomicReadFile-ACK Record-Access Encoder Causes Response Corruption and Conditional Information Disclosure GHSA-2fwp-32cj-g3x4
CVE-2026-46674 - Out-of-Bounds Read in AtomicWriteFile Record Decoder via Unbounded returnedRecordCount GHSA-8384-pwhh-cxjh
CVE-2026-45341 - WriteProperty to Structured View subordinate-list causes NULL pointer dereference GHSA-fv2r-c2m2-7qhh
CVE-2026-45265 - Atomic-Read-File RecordCount Stack-Based Out-of-Bounds Write GHSA-v3gx-mwrp-xvh5
CVE-2026-40279 -
Undefined-behavior signed left shift in decode_signed32()
GHSA-326g-j95f-gmxv
CVE-2026-41503 - Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser GHSA-5w2v-mwqj-pr2c
CVE-2026-41502 - Off-by-One Out-of-Bounds Read in ReadPropertyMultiple Object ID Decoder GHSA-7545-3fpx-4xw3
CVE-2026-41475 - Out-of-Bounds Read in WritePropertyMultiple Decoder via Deprecated Tag Parser GHSA-cvv4-v3g6-4jmv
CVE-2026-26264 - WriteProperty decoding length underflow leads to OOB read and crash GHSA-phjh-v45p-gmjj
CVE-2026-21870 - Off-by-one Stack-based Buffer Overflow in tokenizer_string GHSA-pc83-wp6w-93mx
CVE-2026-21878 - Improper Limitation of a Pathname to a Restricted Directory GHSA-p8rx-c26w-545j
CVE-2025-66624 - BACnet-stack MS/TP reply matcher OOB read GHSA-8wgw-5h6x-qgqg
CVE-2023-38341 - Multiple out-of-bounds accesses in bacerror code paths #81
CVE-2023-38340 - Out of bounds accesses in bacnet_npdu_decode #80
CVE-2023-38339 - Out of bounds jump in h_apdu.c:apdu_handler #79
CVE-2019-12480 - Invalid read in bacserv when decoding alarm tags #62
CVE-2018-10238 - Segmentation fault leading to denial of service #61
Privately discuss, fix, and publish information about security vulnerabilities in this library using Github Security Advisories: https://github.com/bacnet-stack/bacnet-stack/security/advisories/new
Alternatively, vulnerabilities can be reported using "issues" at Github. https://github.com/bacnet-stack/bacnet-stack/issues