CVE-2026-27828
Use-After-Free in EVerest ISO15118 Charger Causes Remote Crash
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the EVerest EVSE software to version 2026.02.0 or later, which contains the patch that fixes the use-after-free vulnerability.
Additional mitigations before upgrading include:
- Disable or restrict MQTT access to prevent unauthorized session_setup commands.
- Ensure that the ISO15118 initialization does not fail by verifying network configuration, especially the presence of an IPv6 link-local address.
- Monitor and restrict command handlers to prevent race conditions and use-after-free scenarios.
Can you explain this vulnerability to me?
CVE-2026-27828 is a use-after-free vulnerability in the EVerest EV charging software stack, specifically in the ISO15118 session_setup handling. The issue occurs when the software tries to use a context pointer (v2g_ctx) after it has already been freed due to a failed initialization (such as missing an IPv6 link-local address). An attacker with MQTT access can exploit this by sending a session_setup command, causing the software to dereference the freed pointer and crash the EVSE process.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely by an attacker with MQTT access to cause the EVSE process to crash. This results in a denial-of-service (DoS) condition, potentially disrupting EV charging operations and causing service unavailability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the EVSE process for crashes or denial-of-service symptoms triggered by MQTT session_setup commands. Since the issue occurs when an attacker with MQTT access sends a session_setup command after ISO15118 initialization fails, observing unexpected process crashes or logs related to session_setup handling may indicate exploitation attempts.
Commands to detect this might include monitoring the EVSE process logs and MQTT traffic for suspicious session_setup commands, for example using:
- Use system logs or journalctl to check for EVSE process crashes: `journalctl -u evse.service -f`
- Capture and analyze MQTT traffic for session_setup commands using tools like `mosquitto_sub` or `tcpdump`: `mosquitto_sub -t 'session_setup' -v` or `tcpdump -i any port 1883`
- Check for IPv6 link-local address availability on the network interface, since failure to obtain it triggers the vulnerability: `ip -6 addr show`
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.