CVE-2026-27815
Buffer Overflow in EVerest EVSE Software Causes Crash Risk
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes within the EV charging software, which may corrupt adjacent EVSE state or cause the charging process to crash.
Such corruption or crashes can disrupt the normal operation of the EV charging station, potentially causing denial of service or unpredictable behavior.
Can you explain this vulnerability to me?
CVE-2026-27815 is a medium-severity vulnerability in the EVerest EV charging software stack, specifically in the ISO15118 charger interface's session setup handler.
The vulnerability arises because the function ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without checking if the list exceeds this size.
Although the interface schema limits the payment_options list to a maximum of 2 items, schema validation is disabled by default. This allows an attacker with access to the internal MQTT broker to send a session_setup command containing more than two payment_options entries.
As a result, the handler writes beyond the fixed-size buffer, causing out-of-bounds memory writes that can corrupt adjacent EVSE state or crash the process.
This issue affects EVerest core version 2025.12.1 and was patched in version 2026.02.0 by adding explicit bounds checks and enabling schema validation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring MQTT session_setup commands sent to the internal MQTT broker for payment_options lists containing more than two entries, which exceed the expected fixed-size array limit.
Since the issue arises from oversized MQTT Cmd payloads, inspecting MQTT traffic for unusually large or malformed session_setup messages with excessive payment_options entries is key.
Enabling schema validation (settings.validate_schema: true) in the deployment configuration can help detect and reject invalid payloads automatically.
Specific commands are not provided in the resources, but typical detection steps could include using MQTT client tools or network packet analyzers (e.g., mosquitto_sub, Wireshark) to capture and analyze MQTT messages for session_setup commands with payment_options lists longer than two.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enabling schema validation by setting settings.validate_schema to true in the deployment configuration to reject or truncate inputs exceeding two payment_options entries.
Applying the patch by upgrading to EVerest version 2026.02.0 or later, which contains explicit bounds checks before writing to the payment_option_list, is essential.
Additionally, restricting access to the internal MQTT broker to trusted sources only can reduce the risk of an attacker sending malicious oversized payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.