CVE-2026-40279
Signed Integer Overflow in BACnet Stack decode_signed32() Function
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacnetstack | bacnet_stack | to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-40279 is a low-severity undefined behavior issue in the BACnet Stack's decode_signed32() function that primarily affects code correctness and could potentially lead to miscompilations under future compiler optimizations.
There is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data, nor does it directly lead to data breaches or unauthorized access.
As such, this vulnerability does not have a direct effect on compliance with common standards and regulations like GDPR or HIPAA, which focus on protecting personal data confidentiality, integrity, and availability.
The CVSS score confirms no confidentiality or integrity impact and only a low availability impact, further supporting that compliance risks related to data protection regulations are minimal or nonexistent.
Can you explain this vulnerability to me?
CVE-2026-40279 is an undefined behavior vulnerability in the decode_signed32() function of the BACnet Stack open source protocol library. The function reconstructs a 32-bit signed integer from four bytes by performing signed left shifts on each byte cast to a signed 32-bit integer. When any byte has its most significant bit set (value β₯ 0x80), the left shift operation causes an overflow of the signed 32-bit integer, which is undefined behavior according to the C standard.
This undefined behavior is detected frequently by runtime sanitizers during fuzz testing, and although current compilers usually handle it correctly at low optimization levels, future compiler optimizations might exploit this flaw, potentially causing miscompilations and incorrect sign propagation that could bypass sanity checks.
The vulnerability is fixed by performing the shifts on unsigned 32-bit integers first, then casting the combined result back to a signed integer, thus avoiding signed overflow.
How can this vulnerability impact me? :
This vulnerability has a low severity score (CVSS 3.7) and currently no direct exploits or miscompilations have been observed in production builds.
However, because it involves undefined behavior in signed integer operations, future compiler optimizations could cause miscompilations leading to incorrect processing of BACnet data.
Such miscompilations could potentially bypass sanity checks in the protocol stack, possibly causing incorrect behavior or low-impact availability issues in embedded systems using the BACnet Stack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for runtime errors flagged by UndefinedBehaviorSanitizer (UBSan) related to left-shift operations on signed 32-bit integers when processing BACnet APDU bytes with high-bit-set values (β₯ 0x80). Specifically, errors such as "left shift of 145 by 24 places cannot be represented in type 'int32_t'" indicate the presence of this issue.
A practical detection method is to run the BACnet stack binaries or tests under UBSan instrumentation to catch these undefined behaviors during fuzz testing or normal operation with BACnet input containing signed-integer property values with high-bit-set bytes.
While no direct network detection commands are provided, you can use sanitizers during compilation and testing to detect the issue. For example, compile the BACnet stack with Clang or GCC using the UndefinedBehaviorSanitizer enabled:
- clang -fsanitize=undefined -g -O1 -o bacnet-stack ./src/bacnet/bacint.c
- gcc -fsanitize=undefined -g -O1 -o bacnet-stack ./src/bacnet/bacint.c
Then run the binary with BACnet input containing signed-integer property values with bytes β₯ 0x80 to trigger UBSan errors if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the BACnet stack to version 1.4.3 or later, where the vulnerability has been fixed by changing the code to perform shifts on unsigned 32-bit integers before casting back to signed integers.
If upgrading is not immediately possible, you should review and patch the vulnerable functions (such as decode_signed32(), decode_signed16(), decode_signed24()) by applying the recommended code fix:
- Replace signed left shifts on int32_t with unsigned 32-bit shifts, e.g.:
- uint32_t u = ((uint32_t)apdu[0] << 24) | ((uint32_t)apdu[1] << 16) | ((uint32_t)apdu[2] << 8) | (uint32_t)apdu[3];
- *value = (int32_t)u;
This avoids undefined behavior and potential miscompilations caused by signed integer overflow during shifts.