Skip to main content

BACnet Stack CVE-2026-40279

| EUVD-2026-24166 LOW
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (CWE-758)
2026-04-21 GitHub_M
Buffer Overflow Bacnet Stack
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 19:49 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:38 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:00 euvd
EUVD-2026-24166
Analysis Generated
Apr 21, 2026 - 17:00 vuln.today
CVE Published
Apr 21, 2026 - 16:29 nvd
LOW 3.7

DescriptionGitHub Advisory

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value ≥ 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3.

AnalysisAI

BACnet Stack prior to version 1.4.3 exhibits undefined behavior in the decode_signed32() function when processing signed-integer property values containing bytes with the high bit set, causing denial of service through integer overflow. Network-remote attackers can trigger this vulnerability by sending specially crafted BACnet packets with high-bit-set byte sequences, resulting in application instability or crash on embedded systems running vulnerable versions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Network reconnaissance of BACnet service
Delivery
Craft BACnet APDU with signed-integer property, high-bit-set bytes
Exploit
Send frame to target device
Execution
Trigger signed left-shift integer overflow in decode_signed32()
Persist
Cause undefined behavior, potential crash or state corruption
Impact
Denial of service to building automation system
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must be network-reachable to the BACnet Stack instance (implying BACnet service port exposure, typically UDP port 47808). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.7 with AV:N/AC:H indicates network-remote attack vector but requires high attack complexity, suggesting non-trivial exploitation constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends a BACnet frame containing a signed-integer property value with bytes having bit 7 set (e.g., 0x80 or higher). The vulnerable decode_signed32() function processes this frame, triggering a signed left-shift integer overflow that violates C standard undefined behavior. …
Remediation Upgrade BACnet Stack to version 1.4.3 or later, which corrects the signed integer overflow in decode_signed32(). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40279 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy