Secmate

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. The `ISO15118 chargerImpl::handle session setup` function uses the `v2g ctx` variable after it has been freed when ISO15118 initialization fails, such as when there is no IPv6 link-local address. An attacker with MQTT access can remotely crash the EVSE process by issuing a `session setup` command while `v2g ctx` has been released. The vulnerable function is `handle session setup`. The MQTT protocol is used for communication. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions 0.10.0 through 0.21.9 **Description** The Golioth Firmware SDK contains a stack-based buffer overflow in Payload Utils. The `golioth payload as int()` and `golioth payload as float()` helpers use `memcpy()` to copy network-supplied payload data into fixed-size stack buffers, with the length derived from `payload size`. Assertions intended to limit the copy length are removed in release builds, allowing `memcpy()` to copy an unbounded `payload size`. Payloads exceeding 12 bytes (for integers) or 32 bytes (for floats) can cause a stack overflow, leading to a crash or denial of service. This issue is reachable through LightDB State on payload with a malicious server or a man-in-the-middle (MITM) attack. **Recommendations** Update to Golioth Firmware SDK version 0.22.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions 0.10.0 through 0.21.9 **Description** The software contains an out-of-bounds read issue in LightDB State string parsing. A small `payload size` value (less than 2) can lead to a size t underflow when calculating the number of bytes to copy during string processing. This results in a `memcpy()` operation reading beyond the allocated network buffer, potentially causing a device crash. This condition is reachable through the `on payload` function, and the `golioth payload is null()` function does not prevent payloads of size 1 from being processed. A malicious server or a man-in-the-middle (MITM) attacker can trigger a denial of service. **Recommendations** Update to version 0.22.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions prior to 0.22.0 **Description** The software contains an out-of-bounds read issue stemming from improper null termination during a blockwise transfer. The `blockwise transfer init()` function accepts a path with a length equal to `CONFIG GOLIOTH COAP MAX PATH LEN` and copies it using `strncpy()` without ensuring a trailing NUL byte. This can leave the `ctx->path` buffer unterminated. Subsequently, a `strlen()` operation on this buffer within the `golioth coap client get internal()` function may read beyond the allocated memory, potentially leading to a crash or denial of service. The input path is application-controlled. **Recommendations** Update to Golioth Firmware SDK version 0.22.0 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Golioth Pouch anteriores ao commit 1b2219a1 **Descrição** O software contém um overflow de buffer no heap no tratamento de certificados do servidor GATT BLE. A função `server cert write()` aloca um buffer no heap de tamanho `CONFIG POUCH SERVER CERT MAX LEN` ao receber o primeiro fragmento e, em seguida, anexa fragmentos subsequentes usando `memcpy()` sem verificar capacidade suficiente. Um cliente BLE próximo pode enviar fragmentos não autenticados cujo tamanho combinado excede o buffer alocado, levando a um overflow no heap e possível queda, bem como possível corrupção de memória. **Recomendações** Atualize para a versão 0.1.0 com o commit 1b2219a1 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** Versões do libcoap até e incluindo a 4.3.5 **Descrição** O software contém um estouro de buffer na pilha na resolução de endereços. Isso ocorre quando dados de hostname controlados pelo atacante são copiados para um buffer de pilha fixo de 256 bytes sem a devida verificação de limites. Um atacante remoto poderia potencialmente causar uma falha e, dependendo das configurações do compilador e das proteções de memória em tempo de execução, obter execução remota de código. A exploração requer que a lógica de proxy esteja habilitada, especificamente o caminho de código de tratamento de solicitações de proxy dentro de um aplicativo que utilize o libcoap. **Recomendações** Atualize o libcoap para uma versão anterior à 4.3.5 que inclua o commit 30db3ea.