Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds vector access causing potential memory corruption and crash
Action: Patch
AI Analysis

Impact

EVerest, an EV charging software stack, has a flaw that permits reading beyond the bounds of a std::vector when the Charge Station Management System sends the UpdateAllowedEnergyTransferModes message in OCPP 2.0.1. This out‑of‑bounds access can corrupt memory or cause the application to crash, leading to loss of availability and potential integrity compromise of the charging control software.

Affected Systems

The vulnerability affects deployments of the EVerest everest‑core package on Linux running any release prior to 2026.02.0. Versions 2026.02.0 and newer contain the patch that resolves the indexing mismatch.

Risk and Exploitability

The CVSS score of 7.5 signifies moderate‑to‑high severity, yet the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The issue is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote: an adversary with control over a Charge Station Management System can send the UpdateAllowedEnergyTransferModes command to trigger the flaw, inferring a network‑based exploitation route.

Generated by OpenCVE AI on March 31, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EVerest everest‑core package to version 2026.02.0 or later to apply the fix for the out‑of‑bounds access.
  • Verify that the installed package version reflects the update by checking the release documentation or package metadata.
  • Monitor the system for unusual crashes or memory corruption, and examine logs for OCPP messages that may indicate exploitation attempts.
  • If the update cannot be applied immediately, isolate the affected component from external OCPP traffic until a patch or mitigation is in place.

Generated by OpenCVE AI on March 31, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.
Title EVerest has OOB via EVSE ID Indexing Mismatch in OCPP 2.0.1 UpdateAllowedEnergyTransferModes
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.512Z

Reserved: 2026-02-09T21:36:29.553Z

Link: CVE-2026-26008

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:52.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T15:16:32.510

Modified: 2026-03-31T13:45:52.587

Link: CVE-2026-26008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:09:00Z

Weaknesses