Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-26008 is a high-severity out-of-bounds (OOB) access vulnerability in the EVerest EV charging software stack, specifically in its implementation of the Open Charge Point Protocol (OCPP) 2.0.1.

The root cause is a mismatch in indexing EVSE (Electric Vehicle Supply Equipment) IDs: the system uses 1-based indexing for EVSE IDs, but accesses a zero-based std::vector with these IDs directly. This off-by-one error leads to out-of-bounds memory access.

When the Central System Management System (CSMS) sends an UpdateAllowedEnergyTransferModes message, the software attempts to access the vector with a 1-based index, causing heap-buffer-overflow errors.

This vulnerability can cause remote crashes or memory corruption due to invalid memory access. It affects versions prior to 2026.02.0, which contains the patch fixing the indexing issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely without any privileges or user interaction.

Exploitation leads to heap-buffer-overflow errors that can cause the software to crash or experience memory corruption.

The primary impact is a denial of service (DoS), making the EV charging system unavailable or unstable.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered when the Central System Management System (CSMS) sends an UpdateAllowedEnergyTransferModes message over the network, causing an out-of-bounds access in the EVerest software.

Detection can involve monitoring for crashes or memory corruption events in the EVerest EV charging software, especially heap-buffer-overflow errors detected by tools like AddressSanitizer (ASAN).

Since the issue is related to handling of specific network messages, capturing and analyzing network traffic for UpdateAllowedEnergyTransferModes messages sent to the EVerest system may help identify attempts to exploit this vulnerability.

No explicit commands are provided in the resources, but you can use tools such as:

• Network packet capture tools (e.g., tcpdump, Wireshark) to filter for UpdateAllowedEnergyTransferModes messages.
• System logs and crash reports to detect heap-buffer-overflow or memory corruption events.
• AddressSanitizer (ASAN) or similar memory error detection tools during testing or runtime to catch out-of-bounds accesses.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the EVerest EV charging software stack to version 2026.02.0 or later, where the vulnerability has been patched by correcting the EVSE ID indexing mismatch.

Until the upgrade can be applied, consider restricting or monitoring network traffic to prevent or detect malicious UpdateAllowedEnergyTransferModes messages from the Central System Management System (CSMS).

Additionally, monitor the system for crashes or memory corruption symptoms that may indicate exploitation attempts.

Useful 0 Not Useful 0