Skip to main content

Everest Core CVE-2026-26008

| EUVDEUVD-2026-16201 HIGH
Out-of-bounds Read (CWE-125)
2026-03-26 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:13 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 15:00 euvd
EUVD-2026-16201
Analysis Generated
Mar 26, 2026 - 15:00 vuln.today
CVE Published
Mar 26, 2026 - 14:43 nvd
HIGH 7.5

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.

AnalysisAI

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious UpdateAllowedEnergyTransferModes message
Exploit
Trigger out-of-bounds vector access
Impact
Crash EVerest service or corrupt memory

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker sending crafted UpdateAllowedEnergyTransferModes messages to EVerest versions prior to 2026.02.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates high availability impact from network-based unauthenticated attack with low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the charging station's OCPP communication channel (either by compromising the legitimate CSMS infrastructure or positioning as a rogue CSMS on the network) sends malformed UpdateAllowedEnergyTransferModes messages with out-of-bounds vector indices. The everest-core software attempts to access invalid memory locations, resulting in immediate software crash and denial of service for the charging station, preventing legitimate EV charging operations. …
Remediation Upgrade everest-core to version 2026.02.0 or later, which contains the vendor-released patch for this vulnerability as documented in the GitHub security advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all EVerest everest-core deployments and identify instances running versions before 2026.02.0; assess network segmentation between CSMS and charging stations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-22790 HIGH
8.8 Mar 26

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker

CVE-2026-23995 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary

CVE-2026-22593 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica

CVE-2026-33009 HIGH
8.2 Mar 26

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker

CVE-2026-26074 HIGH
7.0 Mar 26

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co

CVE-2026-26073 MEDIUM
5.9 Mar 26

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr

CVE-2026-27828 MEDIUM
5.5 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg

CVE-2026-27816 MEDIUM
5.5 Mar 26

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl

CVE-2026-27815 MEDIUM
5.5 Mar 26

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr

CVE-2026-27813 MEDIUM
5.3 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo

CVE-2026-33015 MEDIUM
5.2 Mar 26

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by

CVE-2026-33014 MEDIUM
5.2 Mar 26

EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operatio

Share

CVE-2026-26008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy