ZDI 2026-03-16

ZDI-26-196: (Pwn2Own) ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability

CVE-2026-4156

Machine-generated analysis · WAYSCloud LLM

The vulnerability is a stack-based buffer overflow in the OCPP getpreq function, exploitable by network-adjacent attackers without authentication.

Context

The ChargePoint Home Flex EV charger is affected, specifically in its OCPP implementation. The vulnerability is a stack-based buffer overflow that can lead to remote code execution. The advisory notes exploitation does not require authentication. Worth noting, the CVSS score is rated 7.5, indicating moderate severity.

Operator considerations

Check: Identify ChargePoint Home Flex EV chargers on the network that process OCPP getpreq requests.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-4156.

Read the full advisory on ZDI →