CVE-2026-22790

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2026.02.0

Description EVerest is an EV charging software stack. Prior to version 2026.02.0, the HomeplugMessage::setup payload function trusts the len variable after an assert check. In release builds, this check is removed, allowing oversized SLAC payloads to be copied into a roughly 1497-byte stack buffer via memcpy. This buffer overflow corrupts the stack, potentially enabling remote code execution from network-provided frames. The vulnerable function is HomeplugMessage::setup payload. The len variable is a vulnerable parameter.

Recommendations Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.