CVE-2026-27813
Received Received - Intake
Use-After-Free Data Race in EVerest EV Charging Software

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27813
EUVD
EUVD-2026-16220
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation everest to 2026.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27813 is a use-after-free vulnerability caused by a data race condition in the Everest EVSE core software, specifically in the timer callback handling within the authentication timeout logic.

The vulnerability occurs because the timer callback function is updated and accessed concurrently by multiple threads without proper synchronization. This happens when external events such as EV plug-in/unplug and authorization events (RFID, RemoteStart, OCPP) trigger overlapping operations on the timer.

Due to this race condition, the timer thread may invoke a callback function that has already been freed or overwritten, leading to undefined behavior such as crashes.

The root cause is that the timer's callback is updated in the timeout() method without locking, while the timer thread may simultaneously execute the callback, causing a data race.

This issue was fixed in version 2026.02.0 by adding proper synchronization to prevent concurrent access to the callback.

Impact Analysis

This vulnerability can lead to crashes or undefined behavior in the Everest EV charging software stack during normal operation involving EV plug-in/unplug and authorization events.

Specifically, the use-after-free condition may cause the software to access invalid memory, potentially resulting in denial of service due to application crashes.

Since the vulnerability affects the authentication timeout handling, it could disrupt the authorization process for EV charging sessions, impacting availability and reliability.

The CVSS base score of 5.3 indicates a medium severity impact, with high impact on availability and low impact on confidentiality and integrity.

Detection Guidance

This vulnerability is a data race leading to a use-after-free condition in the Everest EVSE core software, triggered by concurrent EV plug-in/unplug and authorization events. Detection involves monitoring for race conditions and use-after-free errors in the software.

Tools like ThreadSanitizer (TSAN) can detect data races on the Timer::callback member, and AddressSanitizer (ASAN) can report heap-use-after-free crashes during test teardown.

Suggested commands include running the Everest EVSE software under ThreadSanitizer and AddressSanitizer to identify race conditions and memory errors. For example:

  • Compile the Everest EVSE software with ThreadSanitizer enabled and run the test suite or reproduce the plug-in/unplug and authorization events to detect data races.
  • Compile and run the software with AddressSanitizer to catch use-after-free errors during runtime or shutdown.
  • Monitor logs for crashes or undefined behavior related to timer callbacks during authorization or plug-in events.
Mitigation Strategies

The immediate mitigation step is to upgrade the Everest EVSE software to version 2026.02.0 or later, which contains a patch that fixes the race condition and use-after-free vulnerability.

Until the upgrade can be applied, consider minimizing concurrent authorization and plug-in/unplug events or delaying their processing to reduce the chance of triggering the race condition.

Additionally, monitor the system for crashes or abnormal behavior related to timer callbacks and avoid running unpatched versions in production environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart