EVerest ISO15118 Payment Options Buffer Overflow Vulnerability

A buffer overflow vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises in the ISO15118_chargerImpl::handle_session_setup function, where a variable-length payment_options list is copied into a fixed-size array of length 2 without proper bounds checking. This flaw allows oversized MQTT command payloads to cause out-of-bounds writes, potentially corrupting adjacent EVSE state or crashing the process. The vulnerability exists because schema validation is disabled by default, enabling the exploitation of this buffer overflow.

Impact

Exploitation of this vulnerability can lead to out-of-bounds writes that corrupt adjacent EVSE state or crash the process.

Reproduction

To reproduce this vulnerability, access the internal MQTT broker and publish a session_setup command with a payload that includes more than two payment_options entries. The absence of schema validation will allow the oversized payload to be accepted, causing the handler to write past the buffer limit and disrupt adjacent state or terminate the process.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability. Additionally, enabling schema validation in deployment configurations can help mitigate the issue.