Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption that can cause crashes or unstable behavior
Action: Apply Patch
AI Analysis

Impact

A race condition in the authentication timeout timer of EVerest Core triggers a use‑after‑free when an electric vehicle is plugged in or unplugged, or when RFID, RemoteStart, or OCPP authorization events occur—including delayed responses. The corrupted pointer may access freed memory, leading to data corruption, crashes, or unpredictable behavior, and could destabilize the stack or create conditions for further exploitation.

Affected Systems

The vulnerable product is the EVerest Core EV charging software stack. Versions prior to 2026.02.0 are affected. The stack is deployed on Linux operating systems as part of the Linux Foundation’s Everest project and is identified by the vendor/product name EVerest:everest-core.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. An EPSS score below 1% suggests that the likelihood of real‑world exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to trigger the race condition via plug/unplug or authorization events, which could be achieved by a device that can interact with the charging station or by an authenticated user. A patch is available in version 2026.2.0.

Generated by OpenCVE AI on March 31, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest Core to version 2026.2.0 or later

Generated by OpenCVE AI on March 31, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.
Title EVerest has use-after-free in auth timeout timer via race condition
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:55:23.562Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27813

cve-icon Vulnrichment

Updated: 2026-03-27T14:55:19.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:33.760

Modified: 2026-03-30T20:56:42.230

Link: CVE-2026-27813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:54Z

Weaknesses