{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27816", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.798Z", "datePublished": "2026-03-26T16:32:05.363Z", "dateUpdated": "2026-03-26T18:24:18.212Z"}, "containers": {"cna": {"title": "EVerest's ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:33:57.619Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch."}], "source": {"advisory": "GHSA-gq54-j8f4-xj8c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:48:28.483916Z", "id": "CVE-2026-27816", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:24:18.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:48:28.483916Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:34.319Z"}}], "cna": {"title": "EVerest's ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state", "source": {"advisory": "GHSA-gq54-j8f4-xj8c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:33:57.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27816", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:24:18.212Z", "dateReserved": "2026-02-24T02:32:39.798Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:32:05.363Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de veh\u00edculos el\u00e9ctricos. Antes de las versiones a 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copia una lista de longitud variable en un array de tama\u00f1o fijo de longitud 6 sin comprobaci\u00f3n de l\u00edmites. Con la validaci\u00f3n de esquema deshabilitada por defecto, las cargas \u00fatiles (payloads) de comandos MQTT sobredimensionadas pueden desencadenar escrituras fuera de l\u00edmites y corromper el estado EVSE adyacente o bloquear el proceso. La versi\u00f3n 2026.02.0 contiene un parche."}], "id": "CVE-2026-27816", "lastModified": "2026-03-31T14:46:38.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:34.210", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T16:26:36.266094+00:00", "value": {"mitigation_remediation": ["Upgrade EVerest everest\u2011core to 2026.02.0 or later to apply the boundary\u2011check patch."], "summary": {"action": "Patch Now", "impact": "Out\u2011of\u2011bounds write causing EVSE state corruption or crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the EVerest open\u2011source charging software stack, specifically the everest\u2011core component, on all installations running any version prior to 2026.02.0. Users operating EVerest 2026.02.0 or later are not impacted.", "description_and_impact": "A flaw in the ISO15118_chargerImpl module of EVerest allows an attacker to send an oversized MQTT command payload. The implementation copies this data into a fixed array of six elements without performing bounds checking, resulting in a buffer overflow (CWE\u2011787). The overflow can overwrite neighboring memory, corrupting EVSE state or terminating the process, which may lead to service disruption or unpredictable charging behavior.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The issue is not listed in the CISA KEV catalog. Exploitation requires network access to the MQTT broker and the ability to craft an oversized packet, which is feasible for an adversary with such access. Successful exploitation would likely cause denial of service or state corruption, potentially risking unsafe charging operations."}}}}, "created": "2026-03-27T08:33:50.275378+00:00", "updated": "2026-03-31T20:08:51.417554+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}