CVE-2026-4156
Received Received - Intake
Stack-Based Buffer Overflow in ChargePoint Home Flex Enables RCE

Publication date: 2026-04-11

Last updated on: 2026-04-27

Assigner: Zero Day Initiative

Description
ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4156
EUVD
EUVD-2026-21641
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chargepoint home_flex_cph50_firmware to 5.5.4.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4156 is a stack-based buffer overflow vulnerability found in the ChargePoint Home Flex electric vehicle charger. It occurs due to improper validation of the length of user-supplied data before copying it into a fixed-length stack buffer during the handling of Open Charge Point Protocol (OCPP) messages.

This flaw allows an attacker who is on a network adjacent to the device to execute arbitrary code remotely without needing to authenticate. The attacker can run code with root privileges, potentially taking full control of the affected device.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary code with root privileges on the affected ChargePoint Home Flex EV charger.

  • Compromise of device confidentiality, integrity, and availability.
  • Potential unauthorized control over the EV charger, which could disrupt charging operations.
  • Since no authentication is required, the attack surface is broad for anyone on an adjacent network.
Compliance Impact

The vulnerability allows an attacker to execute arbitrary code with root privileges on the affected ChargePoint Home Flex EV charger, impacting confidentiality, integrity, and availability of the system.

Such a compromise could lead to unauthorized access to sensitive data or disruption of services, which may affect compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and system integrity.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart