Executive Summary

CVE-2026-27814 is a data race vulnerability in the EVerest EV charging software stack, specifically in the EvseManager component's phase-switch logic.

The issue occurs when a 1-phase to 3-phase switching request (`switch_three_phases_while_charging`) happens concurrently with the state machine loop (`main_thread`). The state machine loop properly locks a mutex before accessing shared state, but the switching function accesses the same shared variables without any locking.

This unsynchronized concurrent access leads to undefined behavior under the C++ memory model, causing data races on shared state variables such as `current_state` and switching flags.

The vulnerability can cause incorrect state transitions, unintended timing in switching phases, and non-deterministic misbehavior or intermittent failures in the EV charging process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact the functional stability and safety of the EV charging system.

Because of the data race and resulting undefined behavior, the charging system may experience incorrect state transitions or timing issues when switching between 1-phase and 3-phase charging.

Such misbehavior could lead to intermittent failures or unpredictable operation of the charging equipment, potentially affecting availability and integrity of the charging process.

While it does not impact confidentiality, the low integrity and availability impacts could cause inconvenience or safety concerns for users relying on the EV charging system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a data race condition in the EVerest EvseManager component caused by unsynchronized access to shared state variables during concurrent execution of phase switching and the state machine loop.

Detection can be performed by running ThreadSanitizer (TSAN) or similar race detection tools on the EVerest software, as the issue produces TSAN warnings related to concurrent read/write and write/write races in the functions run_state_machine_once() and switch_three_phases_while_charging().

Suggested commands include running the EVerest software under ThreadSanitizer to detect data races, for example:

• Compile the EVerest software with ThreadSanitizer enabled (e.g., using clang or gcc with -fsanitize=thread).
• Run the software and monitor for TSAN warnings indicating data races in the phase switching and state machine functions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the EVerest software to version 2026.02.0 or later, which contains a patch addressing this data race vulnerability.

Until the upgrade can be applied, avoid triggering the 1-phase to 3-phase switch request (function switch_three_phases_while_charging) concurrently with the state machine loop to prevent unsynchronized access.

Additionally, review and implement proper synchronization (e.g., mutex locking) around shared state accesses in the phase switching code to prevent concurrent unsynchronized access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability described in CVE-2026-27814 is a data race condition in the EVerest EV charging software stack that leads to undefined behavior affecting functional stability and safety of the EVSE control logic.

There is no indication in the provided information that this vulnerability impacts confidentiality or involves exposure of personal or sensitive data.

Since the CVSS impact metrics show no impact on confidentiality and only low impact on integrity and availability, this vulnerability does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and security.

However, the safety and functional stability risks could have indirect implications depending on the regulatory context of EV charging infrastructure, but no explicit compliance impact is stated.

Useful 0 Not Useful 0