{"id":"CVE-2025-66624","summary":"BACnet-stack MS/TP reply matcher OOB read","details":"BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.","aliases":["GHSA-8wgw-5h6x-qgqg"],"modified":"2026-04-12T18:47:07.411552Z","published":"2025-12-05T18:36:26.280Z","database_specific":{"cwe_ids":["CWE-125"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66624.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66624.json"},{"type":"ADVISORY","url":"https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66624"},{"type":"FIX","url":"https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bacnet-stack/bacnet-stack","events":[{"introduced":"0"},{"fixed":"9378f7d1e70169ebde4a5090bae7603703eadf48"}]}],"versions":["bacnet-stack-1.0.0","bacnet-stack-1.1.1","bacnet-stack-1.2.0","bacnet-stack-1.3.0","bacnet-stack-1.3.1","bacnet-stack-1.3.2","bacnet-stack-1.3.3","bacnet-stack-1.3.4","bacnet-stack-1.3.5","bacnet-stack-1.3.6","bacnet-stack-1.3.7","bacnet-stack-1.3.8","bacnet-stack-1.4.0","bacnet-stack-1.4.1","bacnet-stack-1.4.2"],"database_specific":{"vanir_signatures":[{"deprecated":false,"source":"https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48","target":{"file":"test/bacnet/npdu/src/main.c"},"signature_version":"v1","id":"CVE-2025-66624-0b6d3b44","digest":{"line_hashes":["83843085046451361637461865476703005241","238587408538411829391835624658536496285","30124409820981892837603001093918822664","207384116977857683315118265959104614746","64600891009193766897136132121167079772","123296708785302795411772286023263043804","216062463529506061808775265920329604388","167503949483983367708514475361697331390","270900316217544285356921364207878267905","156345305460415963468152238411462893353","96127586797258943612213585828857178701","138901371381924957636829174777929359451","155623926383193076197530099774379643183","250564343464638776177484622832188281954","189566913388121754163822969579650204172","138901371381924957636829174777929359451","203702637365953644370142275113033910436","93012385155339784005673562612413392387","33512308264241904797665661391568256497","138901371381924957636829174777929359451","151398964435457316357759387846181452604","11126792372720741654303297847387888673","180254819937695263106382743591546451657","138901371381924957636829174777929359451","250315169354396070139462417731480231881","311530395237296155428893646932377984744","330899126332236215759817413030511438742","14306894211007459567265880931693426760","35287959343168088514192055060431271319","231400318870345363538292201931342737270","16975485939548532498576622031178045539"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"source":"https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48","target":{"file":"src/bacnet/npdu.c"},"signature_version":"v1","id":"CVE-2025-66624-1f63d835","digest":{"line_hashes":["71650205001555385686006880933273131077","229749204888112420672043892506959147620","331330494637105736621701574122208848071","314541549533435640560731178572632304780","309098155545447140259544146017864153976","328903728317944145573125988505144219057","60836098315647965641966506866971626735","107645739550186851804233217794436806227","123507665705029548439019133974514876667","316048135846935571482809533138818288098","275821363450216435252324982649028940308","3796414434614534037560151388248932710","18104325649369308008531851651592682517","111651881004670505231910526738131401914","243523273129488535198066991728326507431","309349418545886415013582041521177400380","106070769154322960479077933683963056437","173031774306303719533913682503977438865","275111920263068369140943630913503288700","170328281185125846310836612930078095155","142826307019729926994755319749710336916","255294463983898880421075307643486700488","199679047418838997965019468116038977961","279836750977604746948131494057799567076","4578349424262833927119295216779897876","267111830112764059351659822606425425196","40478145146061576682937057129338719377","327835671912351432994618884626874980325","10306072238909241412423688771431123127","59914586052265839986657607543591892034","213791798062304891829658915769382149165","137751846686267522740107517871653093761","335224573737858210712157763458662005808","145811401381154737414448434414475236177","79576625216154838256741328747148804369","41756126913402734937085275540338921601","305694089813412339401587468732394431731","14585127183480251941086565686292516883","257568305587840834361001730267198441343","561100572699314695764817709289376797","82056544972836017613856275909122210046","258870039900547363458285165389753334479","232152575200052039085231691881160933653"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"source":"https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48","target":{"function":"npdu_is_expected_reply","file":"src/bacnet/npdu.c"},"signature_version":"v1","id":"CVE-2025-66624-28825610","digest":{"function_hash":"284165713238503035960910248294941153739","length":2247},"signature_type":"Function"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.5.0-rc1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66624.json","vanir_signatures_modified":"2026-04-12T18:47:07Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}