CVE-2026-27815
Published: 26 March 2026
Summary
CVE-2026-27815 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linuxfoundation Everest. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of incoming MQTT payloads, including bounds checking on variable-length payment_options lists, to prevent out-of-bounds writes.
Implements memory protections like stack guards and address randomization to block exploitation of out-of-bounds writes corrupting EVSE state.
Mandates timely flaw remediation by applying the patch in EVerest version 2026.02.0 to eliminate the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB write in network-exposed EV charging component (MQTT/ISO15118 handler) directly enables remote unauthenticated exploitation of a public-facing or remote service, resulting in process crash or state corruption that maps to application exploitation for DoS.
NVD Description
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger…
more
out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch.
Deeper analysisAI
CVE-2026-27815 is a high-severity out-of-bounds write vulnerability (CWE-787) in the EVerest EV charging software stack, affecting versions prior to 2026.02.0. The issue resides in the ISO15118_chargerImpl::handle_session_setup function, which copies a variable-length payment_options list into a fixed-size array of length 2 without performing bounds checking. Schema validation is disabled by default, enabling oversized MQTT command payloads to trigger the out-of-bounds write, which can corrupt adjacent EVSE state or crash the process. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction due to its low attack complexity. By sending crafted oversized MQTT payloads to the affected component, attackers can achieve integrity and availability impacts, including corruption of nearby memory structures in the EVSE state or denial of service via process crashes. There is no confidentiality impact.
The GitHub Security Advisory (GHSA-7wmg-crc8-6xxf) confirms that EVerest version 2026.02.0 addresses the issue with a patch. Security practitioners should upgrade to this version or later and consider enabling schema validation where feasible to mitigate exploitation risks.
Details
- CWE(s)