Cyber Resilience

CVE-2026-26008

High

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26008 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linuxfoundation Everest. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-26008 is an out-of-bounds access vulnerability in a std::vector within EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 are affected, where the issue arises when the Charging Station Management System (CSMS) sends UpdateAllowedEnergyTransferModes messages over the network. This flaw, classified under CWE-125 (Out-of-bounds Read), can result in remote crashes or memory corruption and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation triggers the out-of-bounds access, leading to high-impact denial of service through application crashes or memory corruption, with no direct effects on confidentiality or integrity.

The official GitHub security advisory (GHSA-vw95-6jj7-3fv9) details the issue and mitigation. EVerest version 2026.2.0 includes a patch that resolves the vulnerability, and users should upgrade to this version or later to protect affected deployments.

EU & UK References

Vulnerability details

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network message handling flaw in public-facing EV charging software directly enables T1190 exploitation and achieves DoS impact via T1499.004 application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33009Same product: Linuxfoundation Everest
CVE-2026-27816Same product: Linuxfoundation Everest
CVE-2026-27815Same product: Linuxfoundation Everest
CVE-2025-68137Same product: Linuxfoundation Everest
CVE-2025-68136Same product: Linuxfoundation Everest
CVE-2025-68141Same product: Linuxfoundation Everest
CVE-2025-68133Same product: Linuxfoundation Everest
CVE-2026-27828Same product: Linuxfoundation Everest
CVE-2025-68134Same product: Linuxfoundation Everest
CVE-2026-23995Same product: Linuxfoundation Everest

Affected Assets

linuxfoundation
everest
≤ 2026.02.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, prioritization, and remediation of flaws like the out-of-bounds access in EVerest, directly addressed by upgrading to version 2026.2.0.

prevent

SI-16 implements memory protection mechanisms such as bounds checking to prevent out-of-bounds vector access leading to crashes or corruption from malformed UpdateAllowedEnergyTransferModes messages.

prevent

SI-10 enforces validation of network inputs like CSMS UpdateAllowedEnergyTransferModes messages to block malformed data triggering the std::vector out-of-bounds read.

References