CVE-2026-27815

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2026.02.0

Description EVerest is an EV charging software stack. Before version 2026.02.0, the ISO15118 chargerImpl::handle session setup function copies a variable-length payment options list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes, potentially corrupting adjacent EVSE state or causing the process to crash. The function handle session setup is vulnerable. The vulnerable parameter is payment options.

Recommendations Update to version 2026.02.0 or later.