CVE-2026-40279 - Vulnerability Details

- BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`

Description

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value ≥ 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3.

Published: 2026-04-21

Score: 3.7 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

BACnet Stack’s decode_signed32() reconstructs 32‑bit signed integers from four APDU bytes. When any byte has its most‑significant bit set, the signed left‑shift operation overflows a 32‑bit signed int, triggering undefined behavior per the C standard. The library reports thousands of violations per minute when processing such input, indicating that maliciously crafted BACnet frames can cause unstable or erratic stack behavior. The undefined behavior may result in crashes or corruption of data, thereby affecting the reliability or integrity of devices using the stack.

Affected Systems

All versions of BACnet Stack prior to 1.4.3, including embedded systems that deploy the open‑source library, are affected. Version 1.4.3 and later contain the fix that eliminates the problematic shift operation.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity. No EPSS score is currently available, and the issue is not listed in CISA’s KEV catalog. The attack vector is likely remote over the BACnet network; an attacker would need to send BACnet frames that contain signed‑integer property values with high‑bit set bytes to activate the undefined behavior. While the weakness could cause crashes or unpredictable behavior, no evidence of remote code execution has been reported, keeping the overall risk low for organizations that rely on the stack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bacnet-stack

affected

Version	Status	Constraints
`< 1.4.3`	affected	—

No data.

Vendor Product Confidence Versions

Bacnetstack

Bacnet Stack

98%

Version	Status	Scheme	Platform
`[0,1.4.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BACnet Stack to version 1.4.3 or later to remove the undefined behavior in decode_signed32()
If upgrading is not immediately possible, restrict or sanitize BACnet input so that signed‑integer property values do not contain bytes with the most‑significant bit set
Continuously monitor system logs or UBSAN output for undefined Behavior warnings and apply the patch as soon as the updated library is available

Generated by OpenCVE AI on April 22, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bacnetstack Bacnetstack bacnet Stack
Vendors & Products		Bacnetstack Bacnetstack bacnet Stack

Tue, 21 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value ≥ 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3.
Title		BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`
Weaknesses		CWE-758
References		https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Bacnetstack Bacnet Stack

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T16:29:16.125Z

Updated: 2026-04-21T19:18:58.492Z

Reserved: 2026-04-10T20:22:44.034Z

Link: CVE-2026-40279

Vulnrichment

Updated: 2026-04-21T19:03:16.067Z

NVD

Status : Received

Published: 2026-04-21T17:16:54.853

Modified: 2026-04-21T20:16:59.027

Link: CVE-2026-40279

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T03:15:06Z

Weaknesses

CWE-758

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object