Unrated severityOSV Advisory· Published Jan 21, 2026· Updated Jan 21, 2026

EVerest has out-of-bounds read in DZG_GSH01 SLIP CRC parser that can crash powermeter driver

CVE-2025-68132

Description

EVerest is an EV charging software stack. Prior to version 2025.12.0, is_message_crc_correct in the DZG_GSH01 powermeter SLIP parser reads vec[vec.size()-1] and vec[vec.size()-2] without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach is_message_crc_correct with vec.size() < 2 (only via the multi-message path), causing an out-of-bounds read before CRC verification and pop_back underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue.

Affected products

Everest/Everest CoreOSV
Range: 2022.12.0, 2022.12.1, 2023.1.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1mitrex_refsource_MISC
github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000