{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40279", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.034Z", "datePublished": "2026-04-21T16:29:16.125Z", "dateUpdated": "2026-04-21T19:18:58.492Z"}, "containers": {"cna": {"title": "BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`", "problemTypes": [{"descriptions": [{"cweId": "CWE-758", "lang": "en", "description": "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv"}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"version": "< 1.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:29:16.125Z"}, "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value \u2265 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3."}], "source": {"advisory": "GHSA-326g-j95f-gmxv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:18:55.401000Z", "id": "CVE-2026-40279", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:18:58.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40279", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:18:55.401000Z"}}}], "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:03:16.067Z"}}], "cna": {"title": "BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`", "source": {"advisory": "GHSA-326g-j95f-gmxv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"status": "affected", "version": "< 1.4.3"}]}], "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv", "name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value \u2265 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-758", "description": "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:29:16.125Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40279", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:18:58.492Z", "dateReserved": "2026-04-10T20:22:44.034Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:29:16.125Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:*:*:*:*:*:*:*:*", "matchCriteriaId": "B46C7C2C-2BC3-4A72-AEDC-746D4D76A2DE", "versionEndExcluding": "1.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value \u2265 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3."}], "id": "CVE-2026-40279", "lastModified": "2026-04-27T19:49:23.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:54.853", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-758"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.3)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "bacnet-stack", "source": "cna", "vendor": "bacnet-stack"}, "product": "bacnet_stack", "vendor": "bacnetstack"}], "analysis": {"en": {"generated_at": "2026-04-22T03:03:22.811273+00:00", "value": {"mitigation_remediation": ["Upgrade BACnet Stack to version 1.4.3 or later to remove the undefined behavior in decode_signed32()", "If upgrading is not immediately possible, restrict or sanitize BACnet input so that signed\u2011integer property values do not contain bytes with the most\u2011significant bit set", "Continuously monitor system logs or UBSAN output for undefined Behavior warnings and apply the patch as soon as the updated library is available"], "summary": {"action": "Apply patch", "impact": "Undefined behavior in signed integer reconstruction can lead to unpredictable crashes or data corruption"}, "threat_synthesis": {"affected_systems": "All versions of BACnet Stack prior to 1.4.3, including embedded systems that deploy the open\u2011source library, are affected. Version 1.4.3 and later contain the fix that eliminates the problematic shift operation.", "description_and_impact": "BACnet Stack\u2019s decode_signed32() reconstructs 32\u2011bit signed integers from four APDU bytes. When any byte has its most\u2011significant bit set, the signed left\u2011shift operation overflows a 32\u2011bit signed int, triggering undefined behavior per the C standard. The library reports thousands of violations per minute when processing such input, indicating that maliciously crafted BACnet frames can cause unstable or erratic stack behavior. The undefined behavior may result in crashes or corruption of data, thereby affecting the reliability or integrity of devices using the stack.", "risk_and_exploitability": "The CVSS score of 3.7 indicates low severity. No EPSS score is currently available, and the issue is not listed in CISA\u2019s KEV catalog. The attack vector is likely remote over the BACnet network; an attacker would need to send BACnet frames that contain signed\u2011integer property values with high\u2011bit set bytes to activate the undefined behavior. While the weakness could cause crashes or unpredictable behavior, no evidence of remote code execution has been reported, keeping the overall risk low for organizations that rely on the stack."}}}}, "created": "2026-04-21T17:30:37.393501+00:00", "updated": "2026-04-22T03:15:06.406925+00:00", "vendors": ["bacnetstack", "bacnetstack$PRODUCT$bacnet_stack"]}