CVE-2026-40279— BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40279
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`
Source: NVD (National Vulnerability Database)
Vulnerability Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value ≥ 0x80), the left-shift operation overflows a signed int32_t, which is undefined behavior per the C standard. This is flagged thousands of times per minute by UndefinedBehaviorSanitizer on any BACnet input containing signed-integer property values with high-bit-set bytes. This vulnerability is fixed in 1.4.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
依赖未定义、未指明或实现定义的行为
Source: NVD (National Vulnerability Database)
Vulnerability Title
BACnet Stack 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
BACnet Stack是BACnet Stack开源的一个适用于嵌入式系统、Linux、MacOS、BSD 和 Windows 的 BACnet 开源协议栈 C 库。 BACnet Stack 1.4.3之前版本存在安全漏洞,该漏洞源于src/bacnet/bacint.c中的decode_signed32函数使用有符号左移从四个APDU字节重构32位有符号整数时,当任何字节的第7位被设置时,左移操作会导致有符号int32_t溢出,这是未定义行为。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| bacnet-stack | bacnet-stack | < 1.4.3 | - |
II. Public POCs for CVE-2026-40279
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40279
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: bacnet-stack
- CVE-2026-41503
BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Pro - CVE-2026-41502
BACnet Stack: Off-by-One Out-of-Bounds Read in ReadPropertyM - CVE-2026-41475
BACnet Stack: Out-of-Bounds Read in WritePropertyMultiple De - CVE-2026-26264
BACnet Stack WriteProperty decoding length underflow leads t - CVE-2026-21878
BACnet Stack Improperly Limits Pathnames to a Restricted Dir
Same vendor: bacnet-stack
- CVE-2026-41503
BACnet Stack: Out-of-Bounds Read in ReadPropertyMultiple Pro - CVE-2026-41502
BACnet Stack: Off-by-One Out-of-Bounds Read in ReadPropertyM - CVE-2026-41475
BACnet Stack: Out-of-Bounds Read in WritePropertyMultiple De - CVE-2026-26264
BACnet Stack WriteProperty decoding length underflow leads t - CVE-2026-21878
BACnet Stack Improperly Limits Pathnames to a Restricted Dir
V. Comments for CVE-2026-40279
No comments yet