Skip to main content

Everest Core CVE-2026-27814

| EUVDEUVD-2026-16222 MEDIUM
Race Condition (CWE-362)
2026-03-26 GitHub_M
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16222
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
CVE Published
Mar 26, 2026 - 16:27 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase ↔ 3-phase switch request (ac_switch_three_phases_while_charging) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch.

AnalysisAI

Data race conditions in EVerest Core versions before 2026.02.0 allow concurrent access to charging state during phase switching operations, potentially causing integrity violations or service interruptions on affected EV charging systems. An attacker with adjacent network access can trigger the race condition by initiating phase switches during active charging sessions, exploiting the unsafe concurrent execution between the state machine and switching requests. No patch is currently available for this vulnerability.

Technical ContextAI

EVerest is a software platform for EV charging infrastructure that manages complex state machines for charging sessions and power delivery. The vulnerability root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), specifically a race condition in the C++ codebase. The affected component handles AC phase switching (ac_switch_three_phases_while_charging) which operates concurrently with the main state machine loop. Without proper mutex or synchronization primitives protecting shared state during the 1-phase to 3-phase mode transition, multiple threads can read and write charging state variables simultaneously, leading to undefined behavior such as memory corruption, inconsistent state, or unexpected state machine transitions. CPE cpe:2.3:a:everest:everest-core identifies all affected versions prior to 2026.02.0.

RemediationAI

Upgrade EVerest-Core to version 2026.02.0 or later immediately. The vendor has released a patched version (Vendor-released patch: 2026.02.0) that resolves the data race condition through proper synchronization of the phase-switching code path. Until patching is possible, operators should restrict network access to the EVerest control plane and state machine interfaces to trusted administrative networks only, and avoid issuing phase-switching requests during active charging sessions where feasible. Consult the EVerest project security advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557 for deployment-specific guidance and confirmation of patched releases.

CVE-2026-22790 HIGH
8.8 Mar 26

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker

CVE-2026-23995 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary

CVE-2026-22593 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica

CVE-2026-33009 HIGH
8.2 Mar 26

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker

CVE-2026-26008 HIGH
7.5 Mar 26

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau

CVE-2026-26074 HIGH
7.0 Mar 26

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co

CVE-2026-26073 MEDIUM
5.9 Mar 26

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr

CVE-2026-27828 MEDIUM
5.5 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg

CVE-2026-27816 MEDIUM
5.5 Mar 26

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl

CVE-2026-27815 MEDIUM
5.5 Mar 26

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr

CVE-2026-27813 MEDIUM
5.3 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo

CVE-2026-33015 MEDIUM
5.2 Mar 26

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by

Share

CVE-2026-27814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy