CVE-2026-4156: Stack Buffer Overflow in ChargePoint Home Flex EV Charger Demonstrated at Pwn2Own
A critical stack-based buffer overflow in the ChargePoint Home Flex EV charger's OCPP message handling, demonstrated at Pwn2Own, allows network-adjacent attackers to execute arbitrary code as root without authentication.
A critical vulnerability in the ChargePoint Home Flex electric vehicle charger has been disclosed, carrying the identifier CVE-2026-4156 and a CVSS score of 7.5. The flaw, a stack-based buffer overflow in the charger's Open Charge Point Protocol (OCPP) message handling, was demonstrated at the Pwn2Own hacking contest and is now publicly detailed in an advisory from the Zero Day Initiative (ZDI-26-196).
The vulnerability resides in how the ChargePoint Home Flex processes OCPP messages. Specifically, the software fails to properly validate the length of user-supplied data before copying it copies to a fixed-length stack-based buffer. An attacker who is network-adjacent — meaning they are on the same local network as the charger — can exploit this without any authentication. Successful exploitation grants the attacker remote code execution in the context of the root user, giving them full control over the device.
The impact of this vulnerability is significant given the widespread deployment of ChargePoint Home Flex chargers in residential and commercial settings. An attacker who compromises a charger could potentially manipulate charging sessions, disrupt grid connectivity, or use the device as a pivot point to attack other systems on the same network. The vulnerability was discovered and reported by the security research team at Synacktiv, who demonstrated it at Pwn2Own.
ChargePoint has released a firmware update to address the issue. The fix is included in CPH50 firmware version 5.5.4.22. Users of the ChargePoint Home Flex are strongly advised to update their devices to this version as soon as possible to mitigate the risk of exploitation. The advisory notes that the vulnerability was reported to ChargePoint on March 6, 2025, and the coordinated public disclosure occurred on March 16, 2026.
This vulnerability highlights the growing security concerns around Internet of Things (IoT) devices, particularly those in critical infrastructure like EV charging stations. As the adoption of electric vehicles accelerates, the security of the charging ecosystem becomes increasingly important. The fact that this flaw was demonstrated at Pwn2Own, a premier hacking competition, underscores the real-world risk it poses. The disclosure serves as a reminder for manufacturers to implement robust input validation and for users to keep their devices updated with the latest firmware.