Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

EVerest’s auth timeout timer contains a use‑after‑free race condition triggered by EV plug‑in or unplug events and by RFID or OCPP authorization actions. The flaw can corrupt memory, leading to a crash or unpredictable behavior and potentially interrupting charging operations.

Affected Systems

The vulnerability affects the everest‑core component of the EVerest EV charging software stack in all releases earlier than version 2026.02.0. A patched version, 2026.2.0, is available.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because the flaw requires specific timing of authorization events, it is not trivially exploitable and no exploit probability score is available. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported. Attackers would likely need the ability to trigger plug‑in/unplug or send authorization commands to manipulate the race condition, which may be limited to operators with access to the charging station or its management interface.

Generated by OpenCVE AI on March 26, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EVerest core to version 2026.2.0 or later to apply the race‑condition fix.
  • Confirm the upgraded software is running by checking version logs and ensuring no crash events occur after auth actions.
  • Until the patch is applied, consider limiting or disabling plug‑in/unplug and RFID/OCPP authorization features to prevent the condition from arising, if feasible.

Generated by OpenCVE AI on March 26, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.
Title EVerest has use-after-free in auth timeout timer via race condition
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Everest Everest-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:55:23.562Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27813

cve-icon Vulnrichment

Updated: 2026-03-27T14:55:19.674Z

cve-icon NVD

Status : Received

Published: 2026-03-26T17:16:33.760

Modified: 2026-03-26T17:16:33.760

Link: CVE-2026-27813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:21Z

Weaknesses