CVE-2026-22593
Published: 26 March 2026
Summary
CVE-2026-22593 is a high-severity Off-by-one Error (CWE-193) vulnerability in Linuxfoundation Everest. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the off-by-one buffer overflow flaw in IsoMux certificate filename handling, as patched in EVerest version 2026.02.0.
Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to prevent arbitrary code execution from stack corruption caused by crafted certificate filenames.
Mandates validation of certificate filename lengths and formats to block inputs that trigger the off-by-one error and subsequent buffer overflow in the file_names array.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local stack-based buffer overflow enabling arbitrary code execution in EVerest process context (AV:L/PR:N).
NVD Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-one check in IsoMux certificate filename handling causes a stack-based buffer overflow when a filename length equals `MAX_FILE_NAME_LENGTH` (100). A crafted filename in the certificate directory can overflow…
more
`file_names[idx]`, corrupting stack state and enabling potential code execution. Version 2026.02.0 contains a patch.
Deeper analysisAI
CVE-2026-22593 is a stack-based buffer overflow vulnerability in EVerest, an open-source EV charging software stack. Prior to version 2026.02.0, an off-by-one check in the IsoMux component's certificate filename handling triggers the overflow when a filename length equals MAX_FILE_NAME_LENGTH (100). A crafted filename placed in the certificate directory can overflow the file_names[idx] array, corrupting adjacent stack state and enabling potential arbitrary code execution. The issue is classified under CWE-193 (Off-by-One Error) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability with low complexity and no privileges or user interaction required. By controlling a filename in the relevant certificate directory, the attacker can manipulate stack memory, leading to crashes or code execution in the context of the EVerest process. The unchanged scope indicates impacts remain within the affected component, but high confidentiality, integrity, and availability effects make it severe for systems running vulnerable versions.
The official GitHub security advisory (GHSA-cpqf-mcqc-783m) documents the flaw, and EVerest version 2026.02.0 includes a patch to address the off-by-one check in filename handling. Security practitioners should upgrade to this version or later and review certificate directory access controls to prevent crafted filenames from being introduced.
Details
- CWE(s)