EVerest Stack-Based Buffer Overflow Vulnerability in CAN Interface Initialization

A stack-based buffer overflow vulnerability has been identified in EVerest, an EV charging software stack, prior to version 2026.02.0. The issue arises in the CAN interface initialization, where passing an interface name longer than 16 bytes to the CAN open routines overflows the 'ifreq.ifr_name' buffer. This overflow corrupts adjacent stack data, potentially leading to arbitrary code execution. The vulnerability can be triggered by a malicious or misconfigured interface name before any privilege checks are performed.

Impact

Exploitation of this vulnerability can result in stack corruption, with the potential for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using an interface name that exceeds 16 bytes. This can be done by crafting a network device name or using an environment-driven configuration that introduces a long interface name. The overflow can be verified using AddressSanitizer, which will report a stack-buffer-overflow error.

Remediation

Users are advised to update to EVerest version 2026.02.0, which includes a patch for this vulnerability.