CVE-2026-26008
Out-of-Bounds Access in EVerest EV Charging Causes Remote Crash
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26008 is a high-severity out-of-bounds (OOB) access vulnerability in the EVerest EV charging software stack, specifically in its implementation of the Open Charge Point Protocol (OCPP) 2.0.1.
The root cause is a mismatch in indexing EVSE (Electric Vehicle Supply Equipment) IDs: the system uses 1-based indexing for EVSE IDs, but accesses a zero-based std::vector with these IDs directly. This off-by-one error leads to out-of-bounds memory access.
When the Central System Management System (CSMS) sends an UpdateAllowedEnergyTransferModes message, the software attempts to access the vector with a 1-based index, causing heap-buffer-overflow errors.
This vulnerability can cause remote crashes or memory corruption due to invalid memory access. It affects versions prior to 2026.02.0, which contains the patch fixing the indexing issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without any privileges or user interaction.
Exploitation leads to heap-buffer-overflow errors that can cause the software to crash or experience memory corruption.
The primary impact is a denial of service (DoS), making the EV charging system unavailable or unstable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered when the Central System Management System (CSMS) sends an UpdateAllowedEnergyTransferModes message over the network, causing an out-of-bounds access in the EVerest software.
Detection can involve monitoring for crashes or memory corruption events in the EVerest EV charging software, especially heap-buffer-overflow errors detected by tools like AddressSanitizer (ASAN).
Since the issue is related to handling of specific network messages, capturing and analyzing network traffic for UpdateAllowedEnergyTransferModes messages sent to the EVerest system may help identify attempts to exploit this vulnerability.
No explicit commands are provided in the resources, but you can use tools such as:
- Network packet capture tools (e.g., tcpdump, Wireshark) to filter for UpdateAllowedEnergyTransferModes messages.
- System logs and crash reports to detect heap-buffer-overflow or memory corruption events.
- AddressSanitizer (ASAN) or similar memory error detection tools during testing or runtime to catch out-of-bounds accesses.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the EVerest EV charging software stack to version 2026.02.0 or later, where the vulnerability has been patched by correcting the EVSE ID indexing mismatch.
Until the upgrade can be applied, consider restricting or monitoring network traffic to prevent or detect malicious UpdateAllowedEnergyTransferModes messages from the Central System Management System (CSMS).
Additionally, monitor the system for crashes or memory corruption symptoms that may indicate exploitation attempts.