CVE-2026-26008
Published: 26 March 2026
Summary
CVE-2026-26008 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linuxfoundation Everest. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, prioritization, and remediation of flaws like the out-of-bounds access in EVerest, directly addressed by upgrading to version 2026.2.0.
SI-16 implements memory protection mechanisms such as bounds checking to prevent out-of-bounds vector access leading to crashes or corruption from malformed UpdateAllowedEnergyTransferModes messages.
SI-10 enforces validation of network inputs like CSMS UpdateAllowedEnergyTransferModes messages to block malformed data triggering the std::vector out-of-bounds read.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network message handling flaw in public-facing EV charging software directly enables T1190 exploitation and achieves DoS impact via T1499.004 application exploitation.
NVD Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.
Deeper analysisAI
CVE-2026-26008 is an out-of-bounds access vulnerability in a std::vector within EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 are affected, where the issue arises when the Charging Station Management System (CSMS) sends UpdateAllowedEnergyTransferModes messages over the network. This flaw, classified under CWE-125 (Out-of-bounds Read), can result in remote crashes or memory corruption and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation triggers the out-of-bounds access, leading to high-impact denial of service through application crashes or memory corruption, with no direct effects on confidentiality or integrity.
The official GitHub security advisory (GHSA-vw95-6jj7-3fv9) details the issue and mitigation. EVerest version 2026.2.0 includes a patch that resolves the vulnerability, and users should upgrade to this version or later to protect affected deployments.
Details
- CWE(s)