CVE-2026-40279
Received Received - Intake
Signed Integer Overflow in BACnet Stack decode_signed32() Function

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value β‰₯ 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40279
EUVD
EUVD-2026-24166
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bacnetstack bacnet_stack to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40279 is an undefined behavior vulnerability in the decode_signed32() function of the BACnet Stack open source protocol library. The function reconstructs a 32-bit signed integer from four bytes by performing signed left shifts on each byte cast to a signed 32-bit integer. When any byte has its most significant bit set (value β‰₯ 0x80), the left shift operation causes an overflow of the signed 32-bit integer, which is undefined behavior according to the C standard.

This undefined behavior is detected frequently by runtime sanitizers during fuzz testing, and although current compilers usually handle it correctly at low optimization levels, future compiler optimizations might exploit this flaw, potentially causing miscompilations and incorrect sign propagation that could bypass sanity checks.

The vulnerability is fixed by performing the shifts on unsigned 32-bit integers first, then casting the combined result back to a signed integer, thus avoiding signed overflow.

Impact Analysis

This vulnerability has a low severity score (CVSS 3.7) and currently no direct exploits or miscompilations have been observed in production builds.

However, because it involves undefined behavior in signed integer operations, future compiler optimizations could cause miscompilations leading to incorrect processing of BACnet data.

Such miscompilations could potentially bypass sanity checks in the protocol stack, possibly causing incorrect behavior or low-impact availability issues in embedded systems using the BACnet Stack.

Detection Guidance

This vulnerability can be detected by monitoring for runtime errors flagged by UndefinedBehaviorSanitizer (UBSan) related to left-shift operations on signed 32-bit integers when processing BACnet APDU bytes with high-bit-set values (β‰₯ 0x80). Specifically, errors such as "left shift of 145 by 24 places cannot be represented in type 'int32_t'" indicate the presence of this issue.

A practical detection method is to run the BACnet stack binaries or tests under UBSan instrumentation to catch these undefined behaviors during fuzz testing or normal operation with BACnet input containing signed-integer property values with high-bit-set bytes.

While no direct network detection commands are provided, you can use sanitizers during compilation and testing to detect the issue. For example, compile the BACnet stack with Clang or GCC using the UndefinedBehaviorSanitizer enabled:

  • clang -fsanitize=undefined -g -O1 -o bacnet-stack ./src/bacnet/bacint.c
  • gcc -fsanitize=undefined -g -O1 -o bacnet-stack ./src/bacnet/bacint.c

Then run the binary with BACnet input containing signed-integer property values with bytes β‰₯ 0x80 to trigger UBSan errors if the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade the BACnet stack to version 1.4.3 or later, where the vulnerability has been fixed by changing the code to perform shifts on unsigned 32-bit integers before casting back to signed integers.

If upgrading is not immediately possible, you should review and patch the vulnerable functions (such as decode_signed32(), decode_signed16(), decode_signed24()) by applying the recommended code fix:

  • Replace signed left shifts on int32_t with unsigned 32-bit shifts, e.g.:
  • uint32_t u = ((uint32_t)apdu[0] << 24) | ((uint32_t)apdu[1] << 16) | ((uint32_t)apdu[2] << 8) | (uint32_t)apdu[3];
  • *value = (int32_t)u;

This avoids undefined behavior and potential miscompilations caused by signed integer overflow during shifts.

Compliance Impact

The vulnerability in CVE-2026-40279 is a low-severity undefined behavior issue in the BACnet Stack's decode_signed32() function that primarily affects code correctness and could potentially lead to miscompilations under future compiler optimizations.

There is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data, nor does it directly lead to data breaches or unauthorized access.

As such, this vulnerability does not have a direct effect on compliance with common standards and regulations like GDPR or HIPAA, which focus on protecting personal data confidentiality, integrity, and availability.

The CVSS score confirms no confidentiality or integrity impact and only a low availability impact, further supporting that compliance risks related to data protection regulations are minimal or nonexistent.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart