PatchSiren cyber security CVE debrief
CVE-2026-38570 bacnet-stack CVE debrief
CVE-2026-38570 is a HIGH-severity vulnerability in the bacnet_stack 1.3.1 library. The vulnerability is caused by an Out-of-bounds Read in the `bacnet_tag_number_decode` function, which can be exploited by attackers to cause a denial of service. The vulnerability has a CVSS score of 7.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-38570).
- Vendor
- bacnet-stack
- Product
- bacnet_stack
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of bacnet_stack 1.3.1 library should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an Out-of-bounds Read in the `bacnet_tag_number_decode` function. This can be exploited by attackers to cause a denial of service.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of bacnet_stack library, if available.
- Implement input validation and bounds checking to prevent exploitation.
Evidence notes
The vulnerability was reported in the National Vulnerability Database (NVD) and has a CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-38570).
Official resources
CVE-2026-38570 was published on 2026-06-04T16:16:35.923Z and modified on 2026-06-08T15:16:45.803Z.