EVerest Integer Overflow Vulnerability in SDP Packet Parsing Leads to Stack Buffer Overflow
Vulnerability
An integer overflow vulnerability has been identified in EVerest, an EV charging software stack, prior to version 2025.10.0. The issue occurs in the 'SdpPacket::parse_header()' function, where the current buffer length can be incorrectly set to 7 after reading a complete header of 8 bytes. This miscalculation allows for a negative value to be computed when determining the remaining length to read, which is then interpreted as 'SIZE_MAX' due to a signed-to-unsigned conversion error. Depending on the server's protocol (plain TCP or TLS), this flaw can cause either an infinite loop or a stack buffer overflow.
Impact
Exploitation of this vulnerability leads to a stack buffer overflow, allowing for control flow modification and potentially arbitrary code execution.
Reproduction
The vulnerability can be reproduced by sending a crafted SDP request that exploits the integer overflow in the header parsing. This can be done over TCP or TLS, with the TLS connection demonstrating the overflow effect more clearly.
Remediation
Users are advised to update to EVerest version 2025.10.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.