Finder16

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race condition that can lead to potential corruption of `std::queue` and `std::deque`. The issue is triggered by a powermeter public key update and EV session/error events occurring while OCPP is not initiated. This results in a data race report from TSAN and the observation of a misaligned address runtime error from ASAN/UBSAN. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Before version 2026.02.0, even after a `RemoteStop` (StopTransaction) is performed by the CSMS, the EVSE can return to `PrepareCharging` through the EV’s BCB toggle, allowing session restart. This breaks the irreversibility of the remote stop and can bypass operational, billing, and safety controls. The `RemoteStop` function is performed by the CSMS. The EVSE returns to the `PrepareCharging` state via the EV’s BCB toggle. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Before version 2026.02.0, during the processing of RemoteStop, a delayed authorization response resets the `authorized` variable to true. This bypasses the condition for calling the `stop transaction()` function during PowerOff events, potentially leaving the transaction open even after a remote stop. The `authorized` variable is central to this issue. **Recommendations** Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race condition leading to C++ undefined behavior (UB), potentially resulting in memory corruption. This issue is triggered by an MQTT message sent to the `everest external/nodered/{connector}/cmd/switch three phases while charging` API endpoint. The issue involves concurrent access to `Charger::shared context` and `internal context` without proper locking mechanisms. **Recommendations** Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. When `WithdrawAuthorization` is processed before the `TransactionStarted` event, `AuthHandler` determines `transaction active=false` and only calls `withdraw authorization callback`. This path ultimately calls `Charger::deauthorize()`, but no actual `StopTransaction` occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. The vulnerable code path involves the `withdraw authorization callback` function and the `Charger::deauthorize()` function. The `transaction active` variable is a key component in determining the correct authorization flow. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ undefined behavior) triggered by a 1-phase ↔ 3-phase switch request (`ac switch three phases while charging`) during charging or waiting, which executes concurrently with the state machine loop. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack susceptible to a data race condition leading to a use-after-free issue. This condition is triggered by events such as EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events, including delayed authorization responses. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack susceptible to a data race that could lead to corruption of `std::map<std::queue>`. The issue is triggered by a CSMS GetLog/UpdateFirmware request (network) coinciding with an EVSE fault event (physical). This results in concurrent access (data race) to the `event queue`, as reported by TSAN. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. A flaw exists in IsoMux certificate filename handling due to an off-by-one check. This can lead to a stack-based buffer overflow when a filename length equals `MAX FILE NAME LENGTH` (100). A crafted filename within the certificate directory can overflow `file names[idx]`, potentially corrupting stack state and enabling code execution. **Recommendations** Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Prior to version 2026.02.0, the `HomeplugMessage::setup payload` function trusts the `len` variable after an `assert` check. In release builds, this check is removed, allowing oversized SLAC payloads to be copied into a roughly 1497-byte stack buffer via `memcpy`. This buffer overflow corrupts the stack, potentially enabling remote code execution from network-provided frames. The vulnerable function is `HomeplugMessage::setup payload`. The `len` variable is a vulnerable parameter. **Recommendations** Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. A stack-based buffer overflow exists in the CAN interface initialization process. This occurs when an interface name exceeding IFNAMSIZ (16 characters) is passed to CAN open routines, overflowing the `ifreq.ifr name` buffer and potentially corrupting adjacent stack data, which could lead to code execution. A malicious or misconfigured interface name can trigger this issue before any privilege checks are performed. **Recommendations** Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access issue involving a `std::vector`, potentially leading to remote crash or memory corruption. This occurs because the CSMS sends `UpdateAllowedEnergyTransferModes` over the network. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack susceptible to a data race condition. This condition leads to concurrent access of `std::map<std::optional>`, potentially causing container or optional corruption. The issue is triggered by an Electric Vehicle (EV) State of Charge (SoC) update occurring simultaneously with a powermeter periodic update and during unplugging or session finished states. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to concurrent access to `std::string`, with a possible heap-use-after-free condition. This issue is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race condition that can lead to concurrent access to `std::map<std::optional>`, potentially causing container or optional corruption. The issue is triggered by an Electric Vehicle (EV) State of Charge (SoC) update combined with periodic power meter updates and the status of disconnection or session completion. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.34.13 Envoy versions prior to 1.35.8 Envoy versions prior to 1.36.5 Envoy versions prior to 1.37.1 **Description** Envoy is a high-performance edge/middle/service proxy. An off-by-one write in the `Envoy::JsonEscaper::escapeString()` function can corrupt the null-termination of a `std::string`, potentially leading to crashes or out-of-bounds reads when the resulting string is treated as a C-string. **Recommendations** Update to Envoy version 1.34.13 or later. Update to Envoy version 1.35.8 or later. Update to Envoy version 1.36.5 or later. Update to Envoy version 1.37.1 or later.

**Name of the Vulnerable Software and Affected Versions** BACnet Protocol Stack versions 1.4.2 and 1.5.0.rc2 and earlier **Description** The BACnet Protocol Stack library contains a flaw in the ubasic interpreter due to an off-by-one stack-based buffer overflow. This occurs when processing string literals that exceed the buffer limit. The `tokenizer string` function in `src/bacnet/basic/program/ubasic/tokenizer.c` incorrectly manages null termination for strings at the maximum length, leading to a stack overflow and a crash. **Recommendations** Versions prior to 1.5.0.rc2 should be updated.

**Name of the Vulnerable Software and Affected Versions** LangChain versions prior to 1.2.11 **Description** LangChain is a framework used for building applications powered by large language models (LLMs). A flaw exists in the `ChatOpenAI.get num tokens from messages()` method where it retrieves image URLs without proper validation when calculating token counts for models with vision capabilities. This can be exploited to initiate Server-Side Request Forgery (SSRF) attacks. Attackers can achieve this by supplying malicious image URLs as part of user-provided input. The vulnerable function is `ChatOpenAI.get num tokens from messages()`. The vulnerable parameter is `image url`. **Recommendations** Update to LangChain version 1.2.11 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software-only solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. The `Crypto Config Add Gvcid Managed Parameters` function does not adequately validate input, specifically only checking if `gvcid counter` is greater than `GVCID MAN PARAM SIZE`. This insufficient check allows for up to 251 entries, resulting in a write beyond the bounds of the `gvcid managed parameters array` array. This out-of-bounds write overwrites the `gvcid counter` variable, potentially impacting parameter lookup and registration logic that depends on its value. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution that uses the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. Prior to version 1.4.3, the `Crypto AOS ProcessSecurity` function does not perform valid bounds checking when parsing AOS frame hashes, leading to a potential issue. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.