EVerest Charging Software Out-of-Bounds Write Vulnerability in ISO15118 Energy Transfer Mode Handling

A vulnerability exists in the EVerest EV charging software stack, specifically in the core application within the ISO15118 charger interface. Prior to version 2026.02.0, the function 'handle_update_energy_transfer_modes' improperly handles variable-length lists by copying them into a fixed-size array of length 6 without adequate bounds checking. This flaw allows oversized MQTT command payloads to cause out-of-bounds writes, potentially corrupting adjacent Electric Vehicle Supply Equipment (EVSE) state or crashing the process. The issue arises with schema validation turned off by default, enabling the exploitation of this vulnerability.

Impact

Exploitation of this vulnerability can lead to process crashes or corruption of adjacent EVSE state, causing potential disruptions in the charging process.

Reproduction

To reproduce this vulnerability, access the internal MQTT broker and publish an 'update_energy_transfer_modes' command with a payload that includes more than six entries for 'supported_energy_transfer_modes'. The absence of schema validation will allow the payload to overwrite the fixed-size array, leading to out-of-bounds writes that can disrupt the EVSE state or cause the process to crash.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability. Additionally, enabling schema validation in deployment configurations can help mitigate the issue.