High

Denial of Service in Rockwell Automation FLEX I/O 1794-AENTR/1794-AENTRXT EtherNet/IP Adapters

IdentifiersCVE-2026-0646CWE-401· Missing Release of Memory after…

CVE-2026-0646 is a denial-of-service vulnerability affecting Rockwell Automation FLEX I/O dual-port EtherNet/IP adapters, specifically models 1794-AENTR and 1794-AENTRXT running affected firmware such as version 2.012. The issue is caused by improper memory handling of CIP protocol requests, and the available references map it to CWE-401 (missing release of memory after effective lifetime). A remote attacker can send crafted CIP requests to the adapter and trigger a fault condition in the device. When triggered, the adapter loses connection to its associated I/O modules and does not automatically recover, requiring a manual reset to restore operation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a loss of availability of the affected adapter. The device can fault and sever communication with attached I/O modules, disrupting EtherNet/IP-connected industrial control operations. Because recovery requires a manual reset, the issue can create sustained operational interruption and potential process downtime until personnel intervene.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to EtherNet/IP/CIP services on affected adapters to trusted hosts and trusted network segments only. Minimize exposure of control devices, ensure they are not reachable from the internet, place control networks behind firewalls, isolate them from business networks, and use secured remote access paths such as updated VPNs. Perform impact analysis and risk assessment before applying defensive changes in production OT environments.

Remediation

Patch, then assume compromise.

Rockwell Automation fixed this vulnerability in firmware version 2.013. Affected organizations should upgrade 1794-AENTR and 1794-AENTRXT adapters from vulnerable firmware, including version 2.012, to version 2.013 or later as provided by the vendor. Validate firmware compatibility and perform appropriate OT change-control and impact assessment before deployment.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Rockwell Automation1794-Aentrhardware

Rockwell AutomationFlex I.O. Ethernet.Ip Adaptershardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 19, 2026

Rockwell Automation Vulnerabilities: FactoryTalk, FLEX I/O

A denial-of-service vulnerability in Rockwell Automation FLEX I/O 1794-AENTR and 1794-AENTRXT adapters caused by improper memory handling of CIP requests, which can fault the adapter and sever connectivity to attached I/O modules.

cvefeed high severityNews

Jun 16, 2026

CVE-2026-0646 - Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters - Multiple Vulnerabilities

A denial-of-service vulnerability in the Rockwell Automation 1794-AENTR adapter caused by improper memory handling of CIP protocol requests, which can fault the adapter and disconnect associated I/O modules until manually reset.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-0646

NVD

nvd.nist.gov/vuln/detail/CVE-2026-0646

MITRE CWE · CWE-401

Missing Release of Memory after Effective…

rockwellautomation.com

rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1775.html