Executive Summary

CVE-2026-0646 is a missing release of memory after effective lifetime flaw in Rockwell Automation 1794-AENTR and 1794-AENTRXT FLEX I/O EtherNet/IP adapters running V2.012, allowing a remote unauthenticated actor to drive the device into resource exhaustion and a loss of availability. Because these adapters carry the remote I/O backplane traffic for distributed FLEX chassis, a successful attack severs the controller from its field I/O, stripping the process of input visibility and output control.

Technical Exposure Breakdown

The 1794-AENTR family functions as the EtherNet/IP communication adapter for FLEX I/O, mapping discrete and analog field modules onto a controller's I/O tree over CIP. CVE-2026-0646 is rated CVSS v3 9.4 by the vendor and is paired with CVE-2026-0647 on the same affected firmware. The root cause is memory that is allocated during request handling but never released, a classic CWE-401 condition.

The practical attack vector is network-reachable and does not require authentication. An adversary with a path to the adapter's EtherNet/IP service repeatedly opens sessions or issues crafted requests that each consume a block of memory the firmware fails to free. Over time the adapter's heap is depleted, leading to dropped connections, failure to establish new CIP class 1 cyclic data, and ultimately a watchdog-driven fault or hang. No code execution is implied, but in OT the availability loss is the entire impact that matters.

The conditions are favorable to an attacker. EtherNet/IP runs on TCP and UDP 44818 and 2222, and FLEX I/O adapters are frequently flat on the cell or area network with no segmentation between the controller and the I/O. Many of these chassis were commissioned years ago and have never had firmware touched because the commissioning engineer treated the adapter as a fixed appliance. V2.012 is a common field revision.

OT Impact and Compliance Risk

The physical consequence is a remote I/O dropout. When the adapter exhausts memory and faults, the controller loses its connection to every FLEX module behind that adapter. Depending on configured connection fault behavior, outputs go to their fault state or hold last value, and the controller may post a major fault that halts the program. For a chemical batch, a water treatment skid, or a packaging line, this is an immediate process trip with no clean recovery until the adapter is power cycled and the connection reestablished.

For NERC CIP environments, an adapter that loses availability inside an Electronic Security Perimeter is a CIP-007 patch management and CIP-005 boundary exposure question. Under IEC 62443-3-3, this maps directly to SR 7.1 and SR 7.2, denial of service protection and resource management at the device level, which the affected firmware fails to satisfy. Water and wastewater operators governed by AWIA 2018 should treat any device controlling treatment processes as in scope for their risk and resilience assessment. Pipeline operators under TSA SD-02C must account for this in their network segmentation and continuous monitoring obligations.

Compensating Controls

Do not run an aggressive active scan against these adapters to confirm exposure. The same memory exhaustion behavior that an attacker exploits can be triggered by an unmanaged vulnerability scanner, and active probing of FLEX I/O has bricked or faulted production chassis before. Confirm firmware revision passively or from engineering records.

BreachSpider Intel

BreachSpider tracks CVE-2026-0646 and related Rockwell FLEX I/O advisories against your asset inventory so you can prioritize conduit hardening and firmware staging before exposure becomes an outage.