CVE-2026-26008 is an out-of-bounds read vulnerability classified under CWE-125 found in the everest-core component of the EVerest EV charging software stack. The vulnerability arises due to improper bounds checking when processing the UpdateAllowedEnergyTransferModes message sent by the Charging Station Management System (CSMS) over the network. Specifically, the software accesses elements of a std::vector beyond its valid range, which can lead to reading invalid memory locations. This memory access flaw can cause the affected software to crash or exhibit memory corruption, potentially destabilizing the EV charging service. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity mainly due to the impact on availability and ease of exploitation. The issue affects all versions of everest-core prior to 2026.02.0, where the vendor has implemented a patch to properly validate vector indices and prevent out-of-bounds access. No public exploits have been reported to date, but the vulnerability poses a significant risk to EV charging infrastructure relying on EVerest software.

The primary impact of CVE-2026-26008 is on the availability of EV charging infrastructure components running the vulnerable everest-core software. Successful exploitation can cause remote crashes or memory corruption, potentially leading to denial of service conditions. This disruption can affect EV charging station operations, resulting in service outages and reduced reliability for EV users. Given the increasing adoption of electric vehicles and reliance on networked charging management systems, this vulnerability could have widespread operational consequences. While confidentiality and integrity impacts are not indicated, the availability impact alone can cause significant operational and reputational damage to organizations managing EV charging networks. Additionally, memory corruption could potentially be leveraged for further exploitation, though no such cases are currently known.

Organizations should immediately upgrade all instances of the EVerest everest-core software to version 2026.02.0 or later, where the out-of-bounds read vulnerability has been patched. Network-level controls should be implemented to restrict and monitor traffic from Charging Station Management Systems (CSMS) to the everest-core components, limiting exposure to untrusted sources. Employing intrusion detection systems (IDS) to detect anomalous UpdateAllowedEnergyTransferModes messages could provide early warning of exploitation attempts. Regularly auditing and testing EV charging infrastructure software for memory safety issues is recommended to prevent similar vulnerabilities. Additionally, organizations should maintain an incident response plan tailored to EV infrastructure disruptions to minimize downtime in case of exploitation. Vendors should consider adopting safer coding practices, such as bounds-checked container access or static analysis tools, to prevent future out-of-bounds vulnerabilities.