CVE-2026-27814
Data Race in EVerest EV Charging Software Causes Undefined Behavior
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27814 is a data race vulnerability in the EVerest EV charging software stack, specifically in the EvseManager component's phase-switch logic.
The issue occurs when a 1-phase to 3-phase switching request (`switch_three_phases_while_charging`) happens concurrently with the state machine loop (`main_thread`). The state machine loop properly locks a mutex before accessing shared state, but the switching function accesses the same shared variables without any locking.
This unsynchronized concurrent access leads to undefined behavior under the C++ memory model, causing data races on shared state variables such as `current_state` and switching flags.
The vulnerability can cause incorrect state transitions, unintended timing in switching phases, and non-deterministic misbehavior or intermittent failures in the EV charging process.
How can this vulnerability impact me? :
This vulnerability can impact the functional stability and safety of the EV charging system.
Because of the data race and resulting undefined behavior, the charging system may experience incorrect state transitions or timing issues when switching between 1-phase and 3-phase charging.
Such misbehavior could lead to intermittent failures or unpredictable operation of the charging equipment, potentially affecting availability and integrity of the charging process.
While it does not impact confidentiality, the low integrity and availability impacts could cause inconvenience or safety concerns for users relying on the EV charging system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a data race condition in the EVerest EvseManager component caused by unsynchronized access to shared state variables during concurrent execution of phase switching and the state machine loop.
Detection can be performed by running ThreadSanitizer (TSAN) or similar race detection tools on the EVerest software, as the issue produces TSAN warnings related to concurrent read/write and write/write races in the functions run_state_machine_once() and switch_three_phases_while_charging().
Suggested commands include running the EVerest software under ThreadSanitizer to detect data races, for example:
- Compile the EVerest software with ThreadSanitizer enabled (e.g., using clang or gcc with -fsanitize=thread).
- Run the software and monitor for TSAN warnings indicating data races in the phase switching and state machine functions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the EVerest software to version 2026.02.0 or later, which contains a patch addressing this data race vulnerability.
Until the upgrade can be applied, avoid triggering the 1-phase to 3-phase switch request (function switch_three_phases_while_charging) concurrently with the state machine loop to prevent unsynchronized access.
Additionally, review and implement proper synchronization (e.g., mutex locking) around shared state accesses in the phase switching code to prevent concurrent unsynchronized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-27814 is a data race condition in the EVerest EV charging software stack that leads to undefined behavior affecting functional stability and safety of the EVSE control logic.
There is no indication in the provided information that this vulnerability impacts confidentiality or involves exposure of personal or sensitive data.
Since the CVSS impact metrics show no impact on confidentiality and only low impact on integrity and availability, this vulnerability does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and security.
However, the safety and functional stability risks could have indirect implications depending on the regulatory context of EV charging infrastructure, but no explicit compliance impact is stated.