Severity by source
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.
AnalysisAI
Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The affected product (cpe:2.3:a:xcharge:c6) is an electric-vehicle charging station controller that processes protocol messages - typically over the EV-to-EVSE communication channel such as ISO 15118 / DIN 70121 PLC or the proprietary CAN/serial layer exposed at the charging coupler. CWE-121 (stack-based buffer overflow) indicates that fixed-size stack buffers in the signal-processing routines copy attacker-controlled message fields without enforcing length checks, allowing the saved return address or adjacent stack frame data to be overwritten. Because embedded charging controllers commonly run firmware without modern mitigations (ASLR, stack canaries, NX) and execute with the privileges of the charging supervisor process, successful corruption can pivot directly to arbitrary code execution on the EVSE.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; consult the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 for the vendor's authoritative fix version and firmware update procedure, and apply it to all XCharge C6 units as the primary remediation. Until firmware is updated, compensating controls include restricting physical access to the charging coupler and controller enclosure (locked stations, tamper-evident seals, CCTV monitoring of public chargers - trade-off: does not stop a determined attacker posing as a customer), disabling or rate-limiting non-essential charging protocols and any debug/diagnostic ports on the coupler (trade-off: may break legitimate vehicle handshakes or field-service workflows), and network-segmenting EVSE units from the charging operator's payment, OCPP, and back-office networks to contain the SC:H/SI:H subsequent-impact path (trade-off: complicates remote management and roaming).
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature veri
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33003
GHSA-88gx-5947-cmjp