How is CVE-2026-9038 exploited?

Network reachability (not-required): Physical proximity to the charging interface is required; the attacker must have hands-on access to the device rather than reaching it over a network. Authentication (not-required): No credentials or account are needed; the attacker interacts directly with the physical charging interface without authenticating. Victim interaction (not-required): No user or victim action is needed beyond the attacker having physical access; exploitation does not require tricking anyone into performing a step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or specific memory layout prerequisites.

What is the impact of CVE-2026-9038?

Reads sensitive data from the local device and connected systems, including stored credentials, session state, and operational records. Modifies data and configuration on the local controller and any connected upstream systems, with high integrity impact on both. Crashes or disrupts the charging controller service and dependent connected systems, causing a full loss of availability. Executes arbitrary code with elevated privileges on the controller, giving an attacker persistent control over the device and its interfaces.

Back to search

HIGHCVE-2026-9038Published 2026-05-28Modified 2026-05-29CNA icscert

CVE-2026-9038: Stack-based buffer overflow in XCharge C6

A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow affects the XCharge C6 charging controller's signal-processing logic. An attacker with physical access to the charging interface can supply oversized message fields that corrupt memory, bypassing normal input validation. Successful exploitation enables execution of unauthorized code with elevated privileges, affecting confidentiality, integrity, and availability of both the local system and connected systems. A patched-image rebuild at version May_22_2026 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9038 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including ICS-CERT advisories) within minutes of publication and matched against customer images, including custom-built images that incorporate the affected XCharge C6 firmware or software packages.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS v4.0 8.6 (HIGH) and weighting that score against each customer environment's compliance policy to determine priority. Triage results can be routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at version May_22_2026 is available on HarborGuard for any environment running an affected version of the XCharge C6 software. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
Physical proximity to the charging interface is required; the attacker must have hands-on access to the device rather than reaching it over a network.
AuthenticationNot required
No credentials or account are needed; the attacker interacts directly with the physical charging interface without authenticating.
Victim interactionNot required
No user or victim action is needed beyond the attacker having physical access; exploitation does not require tricking anyone into performing a step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or specific memory layout prerequisites.

Blast Radius

Reads sensitive data from the local device and connected systems, including stored credentials, session state, and operational records.
Modifies data and configuration on the local controller and any connected upstream systems, with high integrity impact on both.
Crashes or disrupts the charging controller service and dependent connected systems, causing a full loss of availability.
Executes arbitrary code with elevated privileges on the controller, giving an attacker persistent control over the device and its interfaces.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9038 is matched against customer images the moment the advisory is ingested, covering any image that packages the XCharge C6 signal-processing components. For environments confirmed to be running a version prior to May_22_2026, a patched-image rebuild at the fixed version is available. For customers who opt into auto-remediation, HarborGuard can execute the full rebuild-and-verify flow and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS v4.0 context and policy-weighted priority so that engineering teams can act manually. Because this vulnerability requires physical access, network-level compensating controls are not applicable, but teams may consider physical-access restrictions and firmware signing enforcement as interim measures while scheduling the upgrade.

See how HarborGuard automates this

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: May_22_2026
Affected Products: 1

Fix available

May_22_2026

Affected packages

XCharge / C6
< May_22_2026 (from 0)

CVSS Vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

cisa.gov

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available