Detection Guidance

This vulnerability arises from a stack buffer overflow in the HomeplugMessage::setup_payload function when processing oversized SLAC payloads. Detection involves monitoring for unusually large SLAC frames exceeding approximately 1497 bytes, which can trigger the overflow.

Since the vulnerability is triggered by network-provided frames with oversized payloads, network traffic analysis tools can be used to detect suspicious SLAC frames.

Suggested commands include using packet capture tools like tcpdump or Wireshark to filter and inspect SLAC frames for payload sizes larger than the expected limit.

• tcpdump -i <interface> -s 2000 -w capture.pcap 'ether proto 0x88e1' # Capture HomePlug AV frames (SLAC frames use this Ethertype)
• Use Wireshark to open capture.pcap and filter for SLAC frames with payload length > 1497 bytes.

Additionally, monitoring for crashes or abnormal behavior in the EVerest software, especially in release builds, can indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows remote code execution with high impact on confidentiality, integrity, and availability of the affected system. Such a compromise can lead to unauthorized access to sensitive data and disruption of services.

As a result, organizations using affected versions of the EVerest software may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring data integrity, and maintaining system availability.

Failure to patch this vulnerability could lead to data breaches or service interruptions, potentially resulting in regulatory penalties or legal consequences.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the EVerest software to version 2026.02.0 or later, which contains the patch fixing this vulnerability.

Until the upgrade can be applied, restrict or block adjacent network access to the affected system to prevent attackers from sending malicious SLAC frames.

Implement network-level filtering to drop SLAC frames with payloads larger than the safe limit (~1497 bytes) to prevent exploitation.

Monitor system logs and application behavior for signs of crashes or suspicious activity related to SLAC frame processing.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22790 is a high-severity stack overflow vulnerability in the EVerest EV charging software stack, specifically in the function HomeplugMessage::setup_payload.

The vulnerability occurs because the function uses an assert statement to check the length of the SLAC payload, but this check is removed in release builds. Without this check, oversized payloads are copied into a fixed-size stack buffer of about 1497 bytes using memcpy, causing a stack buffer overflow.

This overflow corrupts adjacent memory on the stack and enables remote code execution from network-provided frames, allowing an attacker to run arbitrary code remotely.

The issue affects versions prior to 2026.02.0, which contains a patch to fix this problem.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with adjacent network access to execute arbitrary code remotely on the affected system without requiring any privileges or user interaction.

The impact includes severe compromise of confidentiality, integrity, and availability of the system running the vulnerable EVerest software.

• Remote code execution
• Stack memory corruption
• Potential full system compromise

Useful 0 Not Useful 0