CVE-2025-68134
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-02-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2025.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the EVerest EV charging software occurs because the code uses the C++ assert function improperly in production. Specifically, in the deserialization of ChargeLoop request messages, if an unexpected control mode is encountered, the code triggers assert(false), causing the module to crash. When any module crashes, the EVerest manager shuts down all other modules and exits, leading to a denial of service. This improper error handling causes the entire system managing multiple EV charging units to become unavailable. [1]
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) in environments where the EVerest manager controls multiple Electric Vehicle Supply Equipment (EVSE) units. If one module crashes due to this vulnerability, the manager shuts down all other modules and exits, disrupting service for all users relying on those EVSE units. This results in high availability impact, meaning charging services can be unexpectedly interrupted without any user interaction or privileges required by an attacker. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running a vulnerable version of the EVerest EVSE15118D20 package prior to 2025.10.0. Additionally, monitoring for crashes or unexpected shutdowns of the EVerest manager module can indicate exploitation. Since the issue causes the module to crash due to assertion failures, checking logs for assertion failure messages related to 'libiso15118/src/iso15118/message/dc_charge_loop.cpp' at or near line 97 can help detect the problem. Commands to check the installed version might include: `dpkg -l | grep everest` (on Debian-based systems) or `rpm -qa | grep everest` (on RPM-based systems). To monitor logs, commands like `journalctl -u everest-manager.service` or `grep assert /var/log/everest.log` may be useful depending on your logging setup. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the EVerest EVSE15118D20 package to version 2025.10.0 or later, where the vulnerability is fixed by replacing the use of `assert` with proper error handling. Until the upgrade can be applied, consider isolating the affected system from adjacent networks to reduce the risk of exploitation, and monitor the system for crashes to respond quickly. Avoid running vulnerable versions in production environments to prevent denial of service. [1]