Executive Summary
CVE-2026-0647 is a Missing Release of Memory weakness in Rockwell Automation FLEX I/O EtherNet/IP adapters (1794-AENTR and 1794-AENTRXT at V2.012) that lets a remote attacker exhaust adapter memory through crafted EtherNet/IP traffic, paired with CVE-2026-0646 to enable unauthorized access and account takeover. Because these adapters sit at the boundary between the control network and physical field I/O, exhaustion produces loss of availability that drops digital and analog points feeding live process control.
Technical Exposure Breakdown
The vulnerable component is the EtherNet/IP communication adapter that fronts a FLEX I/O rack. The 1794-AENTR and the extended temperature variant 1794-AENTRXT terminate CIP sessions and relay I/O data between the controller and the field terminal base units. The defect class is a memory leak: the adapter allocates memory to service requests but fails to release it under specific conditions, so repeated or sustained interaction drives the device toward an out of memory state.
The attack vector is the network. EtherNet/IP runs over standard TCP and UDP on port 44818 with implicit I/O on UDP 2222, which means any host with routable reach to the adapter can drive the condition. No physical access is required. The vendor rates this combination at CVSS v3 9.4, which is consistent with a low complexity, network reachable defect that yields availability collapse and, when chained with CVE-2026-0646, authentication bypass and session control.
The conditions that matter in OT are reachability and persistence. A single burst of malformed or high volume requests may not crash the adapter immediately. A leak grinds the device down over hours or days until it resets, faults, or stops responding to the controller. That delayed failure mode makes correlation harder, because the operator sees an I/O fault long after the triggering traffic occurred.
OT Impact and Compliance Risk
When a FLEX I/O adapter loses availability, the controller loses its window into the connected terminal bases. Depending on the configured connection timeout and the program logic, the controller may fault, hold last state, or drive outputs to a configured safe state. None of those outcomes are neutral on a running process. Loss of a flow input, a level transmitter, or a discrete interlock signal can force a unit trip or, worse, mask a real process condition during the blackout window.
For NERC CIP entities, an adapter at this layer is frequently a BES Cyber Asset or part of a BES Cyber System, which pulls it into CIP-007 patch and ports management and CIP-010 configuration monitoring obligations. Under IEC 62443, this maps to a foundational requirement gap in resource availability (FR 7) and timely response to events. Pipeline operators under TSA SD-02C carry network segmentation and continuous monitoring mandates that directly bear on whether this adapter is reachable from a flat network. Water and wastewater utilities subject to AWIA 2018 risk and resilience assessments should treat a remotely exhaustible field adapter as a quantifiable availability risk to treatment control.
Compensating Controls
Do not rely on a maintenance window patch as your only response, and do not active scan these adapters to confirm exposure. Active scanning of EtherNet/IP field devices can fault or brick them, and the very defect here is triggered by network interaction. Validate inventory passively from controller project files and switch CAM tables instead.
- Enforce L2 segmentation so only the parent controller and engineering workstation can originate sessions to the adapter. Block 44818 and 2222 at the cell boundary for all other sources.
- Apply a virtual patch at the IDS or inline tap. A Suricata rule concept: alert on a high rate of CIP forward open or list services requests from any host that is not the bound controller, keyed on dest port 44818 and a configurable rate threshold per source. This catches the exhaustion driver without touching the device.
- Tighten CIP connection timeouts and verify the controller fault routine drives a known safe state on I/O loss rather than holding stale data.
- Monitor adapter free memory and reset counters through the controller or asset management tool to detect the slow leak before it produces a hard fault.
- Remove any management or HMI exposure to these adapters from corporate and remote access paths.
BreachSpider Intel Footer
BreachSpider tracks Rockwell field layer advisories and KEV program changes against your asset inventory so you see exposure shifts on CVE-2026-0647 before they reach your process network.