CVE-2026-22790 Overview
CVE-2026-22790 is a stack-based buffer overflow vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the HomeplugMessage::setup_payload function, which improperly trusts the len parameter after an assert check. In release builds where assertions are disabled, oversized SLAC (Signal Level Attenuation Characterization) payloads can overflow a ~1497-byte stack buffer through memcpy, corrupting the stack and enabling remote code execution from network-provided frames.
Critical Impact
Adjacent network attackers can achieve remote code execution on vulnerable EV charging infrastructure by sending malicious SLAC frames, potentially compromising charging station operations and connected vehicle communications.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
- Systems running EVerest with release builds (where assertions are stripped)
- HomePlug Green PHY communication implementations using vulnerable EVerest versions
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-22790 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-22790
Vulnerability Analysis
This stack-based buffer overflow (CWE-121) represents a classic case of debug-versus-release build divergence. The vulnerable code path in HomeplugMessage::setup_payload uses an assert statement to validate the len parameter before copying payload data into a fixed-size stack buffer. While this check functions correctly in debug builds, standard C/C++ compilation practices remove assert statements in release builds via the NDEBUG preprocessor macro.
The vulnerability is exploitable from an adjacent network position, meaning an attacker must have access to the same network segment as the vulnerable EVerest instance. This is particularly concerning in EV charging infrastructure where HomePlug Green PHY powerline communication is used between vehicles and charging stations. An attacker with physical proximity or network access to the charging infrastructure can craft malicious SLAC frames with oversized payloads.
Root Cause
The root cause stems from improper input validation that relies on assert for security-critical length checking. When the len parameter exceeds the intended buffer size (~1497 bytes) and the assertion is stripped in release builds, the subsequent memcpy operation writes beyond the stack buffer boundaries. This design flaw violates secure coding principles that mandate runtime validation independent of debug assertions for security-sensitive operations.
Attack Vector
The attack vector is adjacent network-based, requiring the attacker to be on the same network segment as the vulnerable EVerest deployment. Exploitation involves sending specially crafted SLAC protocol frames with payload lengths exceeding the stack buffer capacity. The HomePlug communication protocol is commonly used in EV charging for ISO 15118 and IEC 61851 implementations, making charging stations and related infrastructure the primary targets.
The vulnerability can be exploited by:
- Crafting a malicious SLAC frame with an oversized payload length value
- Transmitting the frame to a vulnerable EVerest instance via the adjacent network
- The setup_payload function copies the attacker-controlled data past the stack buffer boundary
- Stack corruption enables control flow hijacking for arbitrary code execution
The technical details of exploitation are documented in the GitHub Security Advisory.
Detection Methods for CVE-2026-22790
Indicators of Compromise
- Abnormally large SLAC frames (payloads exceeding ~1497 bytes) observed in HomePlug network traffic
- Unexpected crashes or segmentation faults in EVerest processes
- Evidence of code execution or shell access from EVerest service context
- Anomalous network behavior from charging station controllers
Detection Strategies
- Monitor HomePlug Green PHY traffic for SLAC frames with payload sizes exceeding protocol norms
- Implement application-level logging to capture payload length values processed by HomeplugMessage::setup_payload
- Deploy memory corruption detection tools (ASAN, Valgrind) in test environments to identify overflow attempts
- Use SentinelOne Singularity to detect exploitation attempts through behavioral analysis and memory protection
Monitoring Recommendations
- Enable enhanced logging for EVerest instances to track incoming frame sizes and processing anomalies
- Deploy network intrusion detection rules targeting oversized SLAC payloads
- Monitor EVerest process stability and unexpected terminations as potential indicators of exploitation attempts
- Implement file integrity monitoring on EVerest binaries and configuration files
How to Mitigate CVE-2026-22790
Immediate Actions Required
- Upgrade EVerest installations to version 2026.02.0 or later immediately
- Audit network segmentation to ensure EV charging infrastructure is isolated from untrusted networks
- Review build configurations to ensure security-critical applications are not stripping runtime validation
- Consider deploying network access controls to limit which devices can communicate with charging infrastructure
Patch Information
The EVerest development team has addressed this vulnerability in version 2026.02.0. The patch replaces the assert-based validation with proper runtime bounds checking that persists in release builds. Organizations should prioritize upgrading to the patched version. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level filtering to drop SLAC frames with abnormally large payloads at perimeter devices
- Deploy EVerest with debug builds temporarily if production constraints allow (note: this has performance implications)
- Restrict physical and network access to charging infrastructure to authorized personnel and systems only
- Consider implementing additional application-layer validation as a defense-in-depth measure
# Example: Network isolation for EV charging infrastructure
# Restrict HomePlug communication to authorized devices only
# Consult your network administrator for proper implementation
# Verify current EVerest version
everest --version
# Update to patched version
# Follow vendor documentation at:
# https://github.com/EVerest/EVerest/security/advisories/GHSA-wh8w-7cfc-gq7m
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
