{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4156", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-13T20:34:05.267Z", "datePublished": "2026-04-11T00:16:32.094Z", "dateUpdated": "2026-04-13T17:38:27.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:16:32.094Z"}, "title": "ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339."}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"version": "5.5.4.13", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-196/", "name": "ZDI-26-196", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-13T20:34:05.314Z", "datePublic": "2026-03-16T21:29:34.686Z", "source": {"lang": "en", "value": "Synacktiv"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:38:14.819060Z", "id": "CVE-2026-4156", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:38:27.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4156", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:38:14.819060Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:38:22.279Z"}}], "cna": {"title": "ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Synacktiv"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"status": "affected", "version": "5.5.4.13"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-16T21:29:34.686Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-196/", "name": "ZDI-26-196", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-13T20:34:05.314Z", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:16:32.094Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4156", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:38:27.403Z", "dateReserved": "2026-03-13T20:34:05.267Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:16:32.094Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339."}], "id": "CVE-2026-4156", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:17.360", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-196/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.5.4.13"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Home Flex", "source": "cna", "vendor": "ChargePoint"}, "product": "home_flex", "vendor": "chargepoint"}], "analysis": {"en": {"generated_at": "2026-04-11T02:24:37.018528+00:00", "value": {"mitigation_remediation": ["Check for and apply any available firmware or patch updates from ChargePoint for the Home Flex product. If a vendor update is not yet released, restrict OCPP traffic to trusted devices or isolate the charger on a separate network segment to limit external exposure. Monitor device logs for anomalous OCPP activity and consider disabling the getpreq functionality if it is not required."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all ChargePoint Home Flex EV chargers. No specific firmware or hardware model information is disclosed, so any installation of ChargePoint Home Flex that processes OCPP getpreq messages is potentially vulnerable.", "description_and_impact": "A stack-based buffer overflow flaw has been discovered in the handling of OCPP messages on ChargePoint Home Flex EV chargers. The vulnerability stems from an absence of proper length validation for user\u2011supplied data before it is copied into a fixed\u2011size stack buffer. An attacker can exploit this flaw to inject arbitrary code, which the system then executes with root privileges. The vulnerability is classified as a CWE\u2011121 type buffer overflow and does not require any authentication to be successfully leveraged.", "risk_and_exploitability": "With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can potentially reach the target over the network without authentication, leveraging the remote OCPP interface. If the vulnerability is successfully exploited, the attacker gains full control of the charger device, compromising its integrity and potentially enabling broader attacks on connected infrastructure."}}}}, "created": "2026-04-13T12:42:09.950404+00:00", "updated": "2026-04-13T12:56:55.197380+00:00", "vendors": ["chargepoint", "chargepoint$PRODUCT$home_flex"]}