Description
ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339.
Published: 2026-04-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A stack-based buffer overflow flaw has been discovered in the handling of OCPP messages on ChargePoint Home Flex EV chargers. The vulnerability stems from an absence of proper length validation for user‑supplied data before it is copied into a fixed‑size stack buffer. An attacker can exploit this flaw to inject arbitrary code, which the system then executes with root privileges. The vulnerability is classified as a CWE‑121 type buffer overflow and does not require any authentication to be successfully leveraged.

Affected Systems

The flaw affects all ChargePoint Home Flex EV chargers. No specific firmware or hardware model information is disclosed, so any installation of ChargePoint Home Flex that processes OCPP getpreq messages is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can potentially reach the target over the network without authentication, leveraging the remote OCPP interface. If the vulnerability is successfully exploited, the attacker gains full control of the charger device, compromising its integrity and potentially enabling broader attacks on connected infrastructure.

Generated by OpenCVE AI on April 11, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any available firmware or patch updates from ChargePoint for the Home Flex product. If a vendor update is not yet released, restrict OCPP traffic to trusted devices or isolate the charger on a separate network segment to limit external exposure. Monitor device logs for anomalous OCPP activity and consider disabling the getpreq functionality if it is not required.

Generated by OpenCVE AI on April 11, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware
CPEs cpe:2.3:h:chargepoint:home_flex_cph50:-:*:*:*:*:*:*:*
cpe:2.3:o:chargepoint:home_flex_cph50_firmware:*:*:*:*:*:*:*:*
Vendors & Products Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint
Chargepoint home Flex
Vendors & Products Chargepoint
Chargepoint home Flex

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339.
Title ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-121
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chargepoint Home Flex Home Flex Cph50 Home Flex Cph50 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-13T17:38:27.403Z

Reserved: 2026-03-13T20:34:05.267Z

Link: CVE-2026-4156

cve-icon Vulnrichment

Updated: 2026-04-13T17:38:22.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:17.360

Modified: 2026-04-27T17:42:36.723

Link: CVE-2026-4156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:55Z

Weaknesses