(Pwn2Own) Autel MaxiCharger AC Elite Home NFC Stack-based Buffer Overflow Arbitrary Code Execution Vulnerability
July 15th, 2026
Vulnerability Details
This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of card responses via the NFC interface. A crafted card response can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.
Additional Details
Fixed in firmware version V1.40.81
Disclosure Timeline
- 2026-03-19 - Vulnerability reported to vendor
- 2026-07-15 - Coordinated public release of advisory
- 2026-07-15 - Advisory Updated
Credit
Synacktiv