Cyber Resilience

CVE-2026-22790

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22790 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linuxfoundation Everest. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-22790 is a stack-based buffer overflow vulnerability (CWE-121) in EVerest, an open-source EV charging software stack. The flaw affects versions prior to 2026.02.0 and occurs in the `HomeplugMessage::setup_payload` function, which trusts the `len` parameter following an `assert` statement that is elided in release builds. This permits oversized SLAC payloads from network-provided frames to be copied via `memcpy` into a stack buffer of approximately 1497 bytes, resulting in stack corruption and potential remote code execution.

The vulnerability can be exploited by an unauthenticated attacker (PR:N) with adjacent network access (AV:A), such as over a HomePlug powerline network, requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows arbitrary code execution with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8 in an unchanged security scope (S:U).

The EVerest GitHub security advisory (GHSA-wh8w-7cfc-gq7m) states that version 2026.02.0 contains a patch addressing the issue, recommending affected users upgrade immediately to mitigate the risk.

EU & UK References

Vulnerability details

EVerest is an EV charging software stack. Prior to version 2026.02.0, `HomeplugMessage::setup_payload` trusts `len` after an `assert`; in release builds the check is removed, so oversized SLAC payloads are `memcpy`'d into a ~1497-byte stack buffer, corrupting the stack and enabling…

more

remote code execution from network-provided frames. Version 2026.02.0 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Stack buffer overflow enables unauthenticated RCE over adjacent network (HomePlug), directly mapping to exploitation of remote services for initial code execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23995Same product: Linuxfoundation Everest
CVE-2026-27815Same product: Linuxfoundation Everest
CVE-2026-26008Same product: Linuxfoundation Everest
CVE-2025-68137Same product: Linuxfoundation Everest
CVE-2026-22593Same product: Linuxfoundation Everest
CVE-2025-68133Same product: Linuxfoundation Everest
CVE-2026-27816Same product: Linuxfoundation Everest
CVE-2026-27828Same product: Linuxfoundation Everest
CVE-2026-33009Same product: Linuxfoundation Everest
CVE-2025-68136Same product: Linuxfoundation Everest

Affected Assets

linuxfoundation
everest
≤ 2026.02.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of network-provided SLAC payload lengths before memcpy into the fixed-size stack buffer, directly preventing the buffer overflow.

prevent

Implements stack canaries, DEP, and ASLR to protect against stack corruption and RCE even if invalid input bypasses checks.

prevent

Mandates timely flaw remediation including patching to version 2026.02.0, which fixes the assert elision and buffer overflow vulnerability.

References