Description
A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.
Published: 2026-05-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in XCharge C6’s signal‑processing logic. When message fields are longer than expected, the controller’s input validation fails and corrupts the stack, potentially allowing execution of unauthorized code with elevated privileges. The consequence is loss of confidentiality, integrity, and availability of the charging system and any connected networks.

Affected Systems

XCharge C6 charging controllers are affected. No specific firmware versions were disclosed, but the vendor states that all affected chargers have been updated.

Risk and Exploitability

The attack requires physical access to the charging interface to supply malformed messages. Although the EPSS metric is not available, the CVSS score of 8.6 indicates high severity. The vulnerability is not listed in the CISA KEV catalog, but the possibility of remote code execution makes the risk significant for environments where charging infrastructure is connected to critical networks.

Generated by OpenCVE AI on May 28, 2026 at 20:36 UTC.

Remediation

Vendor Solution

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

OpenCVE Recommended Actions

  • Apply the latest firmware update released by XCharge to all affected charging units
  • Restrict physical access to the charging interface by using tamper‑resistant enclosures or access controls
  • Monitor charging station logs for anomalous messages and establish alerts for potential buffer overflow attempts
  • Contact XCharge Support if any issues arise during the update process

Generated by OpenCVE AI on May 28, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Xcharge
Xcharge c6
Vendors & Products Xcharge
Xcharge c6

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.
Title Stack-based buffer overflow in XCharge C6
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Xcharge C6
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T15:00:43.770Z

Reserved: 2026-05-19T16:54:39.327Z

Link: CVE-2026-9038

cve-icon Vulnrichment

Updated: 2026-05-29T15:00:38.156Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T20:16:27.227

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-9038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:57Z

Weaknesses