Executive Summary

CVE-2026-27816 is a medium-severity vulnerability in the EVerest EV charging software stack, specifically in the ISO15118 charger interface's handle_update_energy_transfer_modes function.

The vulnerability occurs because the function copies a variable-length list of supported energy transfer modes into a fixed-size array of length 6 without checking if the list exceeds this size.

Since schema validation is disabled by default, an attacker can send an MQTT command payload with more than six entries, causing out-of-bounds writes that can corrupt adjacent EVSE state data or crash the process.

This issue affects versions up to 2025.12.1 and was fixed in version 2026.02.0 by adding bounds checking and enabling schema validation.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to corruption of adjacent EVSE state data or cause the charging software process to crash.

An attacker with access to the internal MQTT broker can trigger this by sending specially crafted commands, potentially disrupting EV charging operations.

This can result in denial of service or unpredictable behavior of the EV charging system, impacting reliability and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring MQTT traffic for update_energy_transfer_modes commands that contain more than six supported_energy_transfer_modes entries, which exceed the fixed-size array limit.

Since the vulnerability involves out-of-bounds writes triggered by oversized MQTT payloads, inspecting MQTT messages for unusually large or malformed payloads targeting the ISO15118 charger interface is key.

Suggested detection approach includes capturing MQTT traffic and filtering for the specific command:

• Use an MQTT client or network packet capture tool (e.g., Wireshark, tcpdump) to capture MQTT messages.
• Filter messages for the topic or payload containing 'update_energy_transfer_modes'.
• Inspect the payload to check if the supported_energy_transfer_modes list length exceeds six entries.

Example command to capture MQTT traffic on port 1883 (default MQTT port) using tcpdump:

• sudo tcpdump -i <interface> -A port 1883 | grep -i 'update_energy_transfer_modes'

Alternatively, use an MQTT client tool to subscribe to relevant topics and inspect payloads for oversized lists.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade the EVerest software to version 2026.02.0 or later, which contains the patch fixing the vulnerability.
• Enable schema validation by setting settings.validate_schema to true in the deployment configuration to prevent oversized MQTT payloads from being processed.
• Implement explicit bounds checking on the supported_energy_transfer_modes list to reject or truncate inputs exceeding six entries.
• Restrict access to the internal MQTT broker to trusted entities only, reducing the risk of an attacker sending malicious commands.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0