CVE-2026-22593: EVerest Buffer Overflow Vulnerability

CVE-2026-22593 Overview

CVE-2026-22593 is a stack-based buffer overflow vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the IsoMux certificate filename handling component, where an off-by-one error in boundary checking allows attackers to overflow a stack buffer when processing certificate filenames. This flaw can lead to stack corruption and potential arbitrary code execution on vulnerable EV charging systems.

Critical Impact

A crafted filename in the certificate directory can overflow file_names[idx], corrupting stack state and enabling potential code execution on EV charging infrastructure.

Affected Products

• EVerest EV charging software stack versions prior to 2026.02.0

Discovery Timeline

• March 26, 2026 - CVE-2026-22593 published to NVD
• March 26, 2026 - Last updated in NVD database

Technical Details for CVE-2026-22593

Vulnerability Analysis

This vulnerability stems from an off-by-one error (CWE-193) in the certificate filename validation logic within EVerest's IsoMux component. The flaw occurs when processing certificate files where the filename length equals the maximum allowed length constant MAX_FILE_NAME_LENGTH (100 characters). Due to the incorrect boundary check, a filename of exactly 100 characters bypasses the intended validation and results in a write operation that exceeds the allocated buffer space.

The stack-based nature of the buffer makes this vulnerability particularly dangerous, as overflowing the buffer can overwrite critical stack data including return addresses and saved frame pointers. An attacker with local access who can place a maliciously crafted certificate file with a specially constructed filename in the certificate directory could potentially leverage this overflow to achieve arbitrary code execution.

Root Cause

The root cause is a classic off-by-one error in the boundary condition check for filename lengths. The validation logic incorrectly uses a less-than comparison (<) rather than a less-than-or-equal comparison (<=) when checking against MAX_FILE_NAME_LENGTH. This allows filenames of exactly 100 characters to pass validation even though the buffer can only safely accommodate 99 characters plus a null terminator.

Attack Vector

The attack requires local access to the EV charging system to place a malicious certificate file in the certificate directory. When EVerest's IsoMux component processes certificates from this directory, it iterates through the files and copies filenames into the file_names[idx] buffer. A crafted filename of exactly 100 characters will trigger the overflow condition, corrupting adjacent stack memory.

The vulnerability allows for stack corruption which could be leveraged through techniques such as return address overwriting or corrupting other stack variables to alter program control flow. Given the local attack vector and the potential for code execution, this vulnerability poses significant risk to EV charging infrastructure where physical access to the charging station may be possible.

Detection Methods for CVE-2026-22593

Indicators of Compromise

• Presence of certificate files with filenames of exactly 100 characters in the EVerest certificate directory
• Unexpected crashes or segmentation faults in the IsoMux component
• Abnormal stack traces indicating memory corruption in certificate handling routines
• Suspicious files appearing in certificate directories with unusually long filenames

Detection Strategies

• Monitor certificate directories for files with filenames approaching or at the 100-character boundary
• Implement file integrity monitoring on EV charging systems to detect unauthorized certificate file additions
• Review system logs for IsoMux component crashes or error messages related to certificate processing
• Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts

Monitoring Recommendations

• Enable verbose logging for the EVerest IsoMux certificate handling component
• Implement alerts for any new files added to certificate directories
• Monitor for process crashes or abnormal terminations in EVerest services
• Review system audit logs for unauthorized file system modifications in certificate storage locations

How to Mitigate CVE-2026-22593

Immediate Actions Required

• Update EVerest to version 2026.02.0 or later which contains the security patch
• Audit certificate directories for any suspicious files with filenames near 100 characters
• Restrict file system permissions on certificate directories to prevent unauthorized file placement
• Implement network segmentation to limit access to EV charging infrastructure

Patch Information

The EVerest project has released version 2026.02.0 which addresses this vulnerability by correcting the boundary check in the IsoMux certificate filename handling code. Organizations running EVerest should upgrade to this version or later as soon as possible. For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

• Implement strict access controls on certificate directories to prevent unauthorized file creation
• Monitor and audit certificate directories for files with filenames approaching 100 characters
• Consider implementing application-level sandboxing for the EVerest IsoMux component
• Restrict physical and network access to EV charging systems until patching can be completed

# Configuration example
# Restrict certificate directory permissions to limit attack surface
chmod 750 /path/to/everest/certificates
chown root:everest /path/to/everest/certificates

# Monitor for suspicious certificate files with long filenames
find /path/to/everest/certificates -type f -name '????????????????????????????????????????????????????????????????????????????????????????????????????*' -exec ls -la {} \;