EVerest DZG_GSH01 Power Meter Out-of-Bounds Read Vulnerability in SLIP Protocol Parser

A vulnerability exists in the EVerest EV charging software stack, specifically in the DZG_GSH01 power meter driver, prior to version 2025.12.0. The issue arises in the SLIP protocol parser's `is_message_crc_correct` function, which reads the last two bytes of a vector without verifying that the vector contains at least two bytes. This oversight allows malformed SLIP frames, delivered through the multi-message path, to create a vector with insufficient length. As a result, the function performs an out-of-bounds read before conducting CRC verification, leading to a `pop_back` underflow. An attacker controlling the serial input can exploit this vulnerability to crash the process, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to undefined behavior and likely crashing the process.

Reproduction

The vulnerability can be reproduced by sending a crafted SLIP frame that creates a 1-byte sub-message, which bypasses the length check and is processed by the `is_message_crc_correct` function. This can be done by including multiple SLIP delimiters and a payload that matches the expected device ID, ensuring the frame is accepted by the power meter's message handling logic.

Remediation

Users can update to EVerest version 2025.12.0 or later, where this vulnerability has been fixed.