CVE-2026-27816
Buffer Overflow in EVerest EVSE Software Causes Crash or Corruption
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-27816 is a medium-severity vulnerability in the EVerest EV charging software stack, specifically in the ISO15118 charger interface's handle_update_energy_transfer_modes function.
The vulnerability occurs because the function copies a variable-length list of supported energy transfer modes into a fixed-size array of length 6 without checking if the list exceeds this size.
Since schema validation is disabled by default, an attacker can send an MQTT command payload with more than six entries, causing out-of-bounds writes that can corrupt adjacent EVSE state data or crash the process.
This issue affects versions up to 2025.12.1 and was fixed in version 2026.02.0 by adding bounds checking and enabling schema validation.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to corruption of adjacent EVSE state data or cause the charging software process to crash.
An attacker with access to the internal MQTT broker can trigger this by sending specially crafted commands, potentially disrupting EV charging operations.
This can result in denial of service or unpredictable behavior of the EV charging system, impacting reliability and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring MQTT traffic for update_energy_transfer_modes commands that contain more than six supported_energy_transfer_modes entries, which exceed the fixed-size array limit.
Since the vulnerability involves out-of-bounds writes triggered by oversized MQTT payloads, inspecting MQTT messages for unusually large or malformed payloads targeting the ISO15118 charger interface is key.
Suggested detection approach includes capturing MQTT traffic and filtering for the specific command:
- Use an MQTT client or network packet capture tool (e.g., Wireshark, tcpdump) to capture MQTT messages.
- Filter messages for the topic or payload containing 'update_energy_transfer_modes'.
- Inspect the payload to check if the supported_energy_transfer_modes list length exceeds six entries.
Example command to capture MQTT traffic on port 1883 (default MQTT port) using tcpdump:
- sudo tcpdump -i <interface> -A port 1883 | grep -i 'update_energy_transfer_modes'
Alternatively, use an MQTT client tool to subscribe to relevant topics and inspect payloads for oversized lists.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the EVerest software to version 2026.02.0 or later, which contains the patch fixing the vulnerability.
- Enable schema validation by setting settings.validate_schema to true in the deployment configuration to prevent oversized MQTT payloads from being processed.
- Implement explicit bounds checking on the supported_energy_transfer_modes list to reject or truncate inputs exceeding six entries.
- Restrict access to the internal MQTT broker to trusted entities only, reducing the risk of an attacker sending malicious commands.