EVerest Out-of-Bounds Access Vulnerability Leading to Remote Crash and Memory Corruption

A vulnerability in EVerest, an EV charging software stack, exists in versions prior to 2026.02.0. The issue involves an out-of-bounds access in a standard vector, which can lead to potential remote crashes and memory corruption. This vulnerability arises because the Central System Management Service (CSMS) transmits UpdateAllowedEnergyTransferModes over the network. The problem has been observed as a heap-buffer-overflow crash when the software is compiled with AddressSanitizer (ASAN) enabled.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to a crash and memory corruption.

Reproduction

The vulnerability can be reproduced by sending an UpdateAllowedEnergyTransferModes message from the CSMS to an EVSE (Electric Vehicle Supply Equipment) that is managed by EVerest version 2025.12.1 or earlier. This message will trigger the out-of-bounds access by using a 1-based EVSE ID, which is incorrectly mapped to a 0-based vector, causing a heap-buffer-overflow.

Remediation

Users can upgrade to EVerest version 2026.02.0 or later, where this vulnerability has been patched.