CVE-2026-9038 PUBLISHED

Stack-based buffer overflow in XCharge C6

Assigner: icscert
Reserved: 19.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	XCharge
Product	C6
Versions	Default: unaffected affected from 0 to May_22_2026 (excl.)

Solutions

XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact

Credits

Lionel R. Saposnik of SaiFlow reported these vulnerabilities to CISA. finder

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08

Problem Types

CWE-121 Stack-based buffer overflow CWE