CVE-2026-38570: bacnet_stack 1
bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability exists in bacnet_stack 1.3.1, specifically in the bacnet_tag_number_decode function. The flaw is reachable over the network without any authentication or user interaction, based on the CVSS vector (AV:N/PR:N/UI:N). Successful exploitation allows an attacker to crash the affected service, causing a denial of service. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-38570 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle bacnet_stack 1.3.1.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it further against each environment's compliance policy. Triage routing to the appropriate team inbox within each customer org is available automatically upon detection.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable function is exposed over the network, meaning an attacker must be able to send crafted BACnet packets to the target service to trigger the out-of-bounds read.
- AuthenticationNot required
No credentials or prior authentication are needed; the attacker can reach the vulnerable code as an unauthenticated network peer.
- Victim interactionNot required
No user action is required; the attacker triggers the vulnerability entirely by sending malformed input to the service.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors to succeed.
Blast Radius
- The affected service process crashes upon receiving a maliciously crafted BACnet message, interrupting all BACnet communication handled by that process.
- Any connected device or system relying on the bacnet_stack service for real-time communication loses its link until the service is restarted.
- Repeated exploitation can sustain a denial-of-service condition indefinitely, preventing recovery without network-level filtering or process supervision.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the advisory and re-checks for patch availability on every ingest cycle. In the meantime, customers can apply compensating controls through network policy to restrict BACnet port access (typically UDP/TCP 47808) to trusted hosts only, reducing the attack surface without requiring a code change. Egress filtering and namespace-level isolation of workloads running bacnet_stack are also surfaceable through HarborGuard policy recommendations. The moment an upstream fix is published, a patched-image rebuild becomes available on HarborGuard, and for customers with auto-remediation enabled, the rebuild plus regression test run and a PR opened against affected workloads will follow automatically.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H