CVE-2026-9038 XCharge CVE debrief

Who should care

Operators of electric vehicle charging infrastructure, industrial control system security teams, charging equipment manufacturers, and facilities with exposed charging interfaces should prioritize this vulnerability given the potential for complete system compromise through physical access.

Technical summary

The vulnerability resides in signal-processing logic within a charging controller implementation. Message field parsing lacks adequate bounds checking, permitting stack memory corruption when oversized input is supplied through the physical charging interface. Successful exploitation yields code execution with elevated privileges, potentially compromising the entire charging system. The CVSS 4.0 vector (AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects that while physical access is required, the attack complexity is low and impacts are comprehensive across all security properties.

Defensive priority

HIGH

Recommended defensive actions

• Restrict physical access to charging interfaces to authorized personnel only
• Monitor for anomalous charging controller behavior or unexpected restarts
• Apply vendor firmware updates when available per CISA ICS-CERT guidance
• Implement input validation and bounds checking in charging controller firmware where source code access exists
• Segment charging infrastructure networks to limit lateral movement if compromise occurs

Evidence notes

Vulnerability disclosed via NVD with CISA ICS-CERT advisory reference. CVSS 4.0 vector indicates physical attack vector (AV:P) with high impacts across confidentiality, integrity, and availability. Vendor identification marked as unknown and flagged for review.

Official resources