Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-one check in IsoMux certificate filename handling causes a stack-based buffer overflow when a filename length equals `MAX_FILE_NAME_LENGTH` (100). A crafted filename in the certificate directory can overflow `file_names[idx]`, corrupting stack state and enabling potential code execution. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Stack-based buffer overflow enabling potential code execution
Action: Immediate Patch
AI Analysis

Impact

An off‑by‑one segmentation occurs in the IsoMux certificate filename parser when a filename reaches the maximum allowed length of 100 characters. The overflow corrupts a stack variable, which can be leveraged to alter execution flow and potentially execute arbitrary code. The weakness is a classic buffer overflow flaw (CWE‑193).

Affected Systems

All installations of the EVerest everest‑core component running a version earlier than 2026.02.0 are affected, as the vulnerability exists within the certificate handling logic used on electric vehicle charging stations.

Risk and Exploitability

The CVSS score of 8.4 signals high severity, and while no EPSS data or KEV listing is available, the vulnerability can be exploited as soon as an attacker can supply a crafted filename to the certificate directory. The ability to place such a file is not explicitly documented in the description, but it is inferred that write access to the directory enables exploitation. Consequently, the risk to confidentiality, integrity, and availability is significant for systems running the vulnerable EVerest build.

Generated by OpenCVE AI on March 26, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to EVerest version 2026.02.0 or later.

Generated by OpenCVE AI on March 26, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-one check in IsoMux certificate filename handling causes a stack-based buffer overflow when a filename length equals `MAX_FILE_NAME_LENGTH` (100). A crafted filename in the certificate directory can overflow `file_names[idx]`, corrupting stack state and enabling potential code execution. Version 2026.02.0 contains a patch.
Title EVerest has off-by-one stack buffer overflow in IsoMux certificate filename parsing
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Everest Everest-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T13:49:26.695Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22593

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T15:16:31.800

Modified: 2026-03-26T15:16:31.800

Link: CVE-2026-22593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:40Z

Weaknesses