CVE-2026-22790
Published: 26 March 2026
Summary
CVE-2026-22790 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linuxfoundation Everest. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of network-provided SLAC payload lengths before memcpy into the fixed-size stack buffer, directly preventing the buffer overflow.
Implements stack canaries, DEP, and ASLR to protect against stack corruption and RCE even if invalid input bypasses checks.
Mandates timely flaw remediation including patching to version 2026.02.0, which fixes the assert elision and buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow enables unauthenticated RCE over adjacent network (HomePlug), directly mapping to exploitation of remote services for initial code execution.
NVD Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, `HomeplugMessage::setup_payload` trusts `len` after an `assert`; in release builds the check is removed, so oversized SLAC payloads are `memcpy`'d into a ~1497-byte stack buffer, corrupting the stack and enabling…
more
remote code execution from network-provided frames. Version 2026.02.0 contains a patch.
Deeper analysisAI
CVE-2026-22790 is a stack-based buffer overflow vulnerability (CWE-121) in EVerest, an open-source EV charging software stack. The flaw affects versions prior to 2026.02.0 and occurs in the `HomeplugMessage::setup_payload` function, which trusts the `len` parameter following an `assert` statement that is elided in release builds. This permits oversized SLAC payloads from network-provided frames to be copied via `memcpy` into a stack buffer of approximately 1497 bytes, resulting in stack corruption and potential remote code execution.
The vulnerability can be exploited by an unauthenticated attacker (PR:N) with adjacent network access (AV:A), such as over a HomePlug powerline network, requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows arbitrary code execution with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8 in an unchanged security scope (S:U).
The EVerest GitHub security advisory (GHSA-wh8w-7cfc-gq7m) states that version 2026.02.0 contains a patch addressing the issue, recommending affected users upgrade immediately to mitigate the risk.
Details
- CWE(s)