Integer Overflow Vulnerability in BACnet Stack for Embedded Systems
CVE-2026-40279

3.7LOW

Key Information:

Vendor: Bacnet-stack
Status: Bacnet-stack
Vendor: CVE Published:; 21 April 2026

🔔 Create Bacnet-stack Vulnerability Alert

What is CVE-2026-40279?

The BACnet Stack is an open-source protocol stack for embedded systems that faced an integer overflow issue in its decode_signed32() function before version 1.4.3. This function reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. If any byte has its highest bit set (value ≥ 0x80), it causes a left-shift overflow on a signed int32_t, resulting in undefined behavior, which is flagged repeatedly by UndefinedBehaviorSanitizer on affected inputs. This vulnerability is addressed in version 1.4.3, ensuring safer processing of signed integer property values.

Affected Version(s)

bacnet-stack < 1.4.3

References

https://github.com/bacnet-stack/bacnet-stack/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40279 Data

JSON