Secmate

**Name of the Vulnerable Software and Affected Versions** EVerest versions prior to 2026.02.0 **Description** EVerest is an EV charging software stack. The `ISO15118 chargerImpl::handle session setup` function uses the `v2g ctx` variable after it has been freed when ISO15118 initialization fails, such as when there is no IPv6 link-local address. An attacker with MQTT access can remotely crash the EVSE process by issuing a `session setup` command while `v2g ctx` has been released. The vulnerable function is `handle session setup`. The MQTT protocol is used for communication. **Recommendations** Update to version 2026.02.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions 0.10.0 through 0.21.9 **Description** The Golioth Firmware SDK contains a stack-based buffer overflow in Payload Utils. The `golioth payload as int()` and `golioth payload as float()` helpers use `memcpy()` to copy network-supplied payload data into fixed-size stack buffers, with the length derived from `payload size`. Assertions intended to limit the copy length are removed in release builds, allowing `memcpy()` to copy an unbounded `payload size`. Payloads exceeding 12 bytes (for integers) or 32 bytes (for floats) can cause a stack overflow, leading to a crash or denial of service. This issue is reachable through LightDB State on payload with a malicious server or a man-in-the-middle (MITM) attack. **Recommendations** Update to Golioth Firmware SDK version 0.22.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions 0.10.0 through 0.21.9 **Description** The software contains an out-of-bounds read issue in LightDB State string parsing. A small `payload size` value (less than 2) can lead to a size t underflow when calculating the number of bytes to copy during string processing. This results in a `memcpy()` operation reading beyond the allocated network buffer, potentially causing a device crash. This condition is reachable through the `on payload` function, and the `golioth payload is null()` function does not prevent payloads of size 1 from being processed. A malicious server or a man-in-the-middle (MITM) attacker can trigger a denial of service. **Recommendations** Update to version 0.22.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Firmware SDK versions prior to 0.22.0 **Description** The software contains an out-of-bounds read issue stemming from improper null termination during a blockwise transfer. The `blockwise transfer init()` function accepts a path with a length equal to `CONFIG GOLIOTH COAP MAX PATH LEN` and copies it using `strncpy()` without ensuring a trailing NUL byte. This can leave the `ctx->path` buffer unterminated. Subsequently, a `strlen()` operation on this buffer within the `golioth coap client get internal()` function may read beyond the allocated memory, potentially leading to a crash or denial of service. The input path is application-controlled. **Recommendations** Update to Golioth Firmware SDK version 0.22.0 or later.

**Name of the Vulnerable Software and Affected Versions** Golioth Pouch versions prior to commit 1b2219a1 **Description** The software contains a heap-based buffer overflow in BLE GATT server certificate handling. The `server cert write()` function allocates a heap buffer of size `CONFIG POUCH SERVER CERT MAX LEN` when receiving the first fragment, and then appends subsequent fragments using `memcpy()` without verifying sufficient capacity. A nearby BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, leading to a heap overflow and potential crash, as well as possible memory corruption. **Recommendations** Update to version 0.1.0 with commit 1b2219a1 or later.

**Name of the Vulnerable Software and Affected Versions** libcoap versions up to and including 4.3.5 **Description** The software contains a stack-based buffer overflow in address resolution. This occurs when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without sufficient bounds checking. A remote attacker could potentially cause a crash and, depending on compiler settings and runtime memory protections, achieve remote code execution. Exploitation requires the proxy logic to be enabled, specifically the proxy request handling code path within an application utilizing libcoap. **Recommendations** Update libcoap to a version prior to 4.3.5 that includes commit 30db3ea.