Executive Summary

CVE-2026-0647 is a Missing Release of Memory weakness in Rockwell Automation FLEX I/O EtherNet/IP adapters (1794-AENTR and 1794-AENTRXT at V2.012) that lets a remote attacker exhaust adapter memory through crafted EtherNet/IP traffic, paired with CVE-2026-0646 to enable unauthorized access and account takeover. Because these adapters sit at the boundary between the control network and physical field I/O, exhaustion produces loss of availability that drops digital and analog points feeding live process control.

Technical Exposure Breakdown

The vulnerable component is the EtherNet/IP communication adapter that fronts a FLEX I/O rack. The 1794-AENTR and the extended temperature variant 1794-AENTRXT terminate CIP sessions and relay I/O data between the controller and the field terminal base units. The defect class is a memory leak: the adapter allocates memory to service requests but fails to release it under specific conditions, so repeated or sustained interaction drives the device toward an out of memory state.

The attack vector is the network. EtherNet/IP runs over standard TCP and UDP on port 44818 with implicit I/O on UDP 2222, which means any host with routable reach to the adapter can drive the condition. No physical access is required. The vendor rates this combination at CVSS v3 9.4, which is consistent with a low complexity, network reachable defect that yields availability collapse and, when chained with CVE-2026-0646, authentication bypass and session control.

The conditions that matter in OT are reachability and persistence. A single burst of malformed or high volume requests may not crash the adapter immediately. A leak grinds the device down over hours or days until it resets, faults, or stops responding to the controller. That delayed failure mode makes correlation harder, because the operator sees an I/O fault long after the triggering traffic occurred.

OT Impact and Compliance Risk

When a FLEX I/O adapter loses availability, the controller loses its window into the connected terminal bases. Depending on the configured connection timeout and the program logic, the controller may fault, hold last state, or drive outputs to a configured safe state. None of those outcomes are neutral on a running process. Loss of a flow input, a level transmitter, or a discrete interlock signal can force a unit trip or, worse, mask a real process condition during the blackout window.

For NERC CIP entities, an adapter at this layer is frequently a BES Cyber Asset or part of a BES Cyber System, which pulls it into CIP-007 patch and ports management and CIP-010 configuration monitoring obligations. Under IEC 62443, this maps to a foundational requirement gap in resource availability (FR 7) and timely response to events. Pipeline operators under TSA SD-02C carry network segmentation and continuous monitoring mandates that directly bear on whether this adapter is reachable from a flat network. Water and wastewater utilities subject to AWIA 2018 risk and resilience assessments should treat a remotely exhaustible field adapter as a quantifiable availability risk to treatment control.

Compensating Controls

Do not rely on a maintenance window patch as your only response, and do not active scan these adapters to confirm exposure. Active scanning of EtherNet/IP field devices can fault or brick them, and the very defect here is triggered by network interaction. Validate inventory passively from controller project files and switch CAM tables instead.

BreachSpider Intel Footer

BreachSpider tracks Rockwell field layer advisories and KEV program changes against your asset inventory so you see exposure shifts on CVE-2026-0647 before they reach your process network.