Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase ↔ 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability is an unsynchronized access race in the EvseManager phase‑switch path, which can cause undefined behavior when an AC phase switch request is issued while charging. This race condition can lead to inconsistent shared state, resulting in a crash or unpredictable operation of the charging controller, effectively denying service to EV users.

Affected Systems

EVerest everest-core, all releases prior to 2026.02.0 are affected. The issue is found in the EV charging software stack maintained by the Linux Foundation.

Risk and Exploitability

CVSS score is 4.2, reflecting moderate potential impact, and the EPSS score is below 1%, indicating low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote via the EVSE command interface that can trigger the phase‑switch request while the state machine loop is active, thereby inducing the race.

Generated by OpenCVE AI on March 31, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest everest-core to version 2026.02.0 or later, which contains the race‑condition fix.
  • If upgrading is not immediately possible, disable the ac_switch_three_phases_while_charging feature or restrict access to phase‑switch commands until a patch is applied.

Generated by OpenCVE AI on March 31, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase ↔ 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch.
Title EVerest EvseManager phase-switch path has unsynchronized shared-state access race condition
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:50:34.592Z

Reserved: 2026-02-24T02:31:33.268Z

Link: CVE-2026-27814

cve-icon Vulnrichment

Updated: 2026-03-26T18:50:31.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:33.910

Modified: 2026-03-31T14:53:24.250

Link: CVE-2026-27814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:53Z

Weaknesses