Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27813

CVE-2026-27813: EVerest Use-After-Free Vulnerability

CVE-2026-27813 is a use-after-free vulnerability in EVerest EV charging software caused by a data race during plug-in/unplug and authorization events. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-27813 Overview

CVE-2026-27813 is a use-after-free vulnerability affecting EVerest, an open-source EV charging software stack. This race condition vulnerability is triggered by concurrent EV plug-in/unplug events and RFID, RemoteStart, or OCPP authorization events (including delayed authorization responses). The vulnerability exists in versions prior to 2026.02.0 and can lead to memory corruption with potential impacts to system availability and integrity.

Critical Impact

Data race condition leading to use-after-free that can cause system crashes, memory corruption, or potentially allow unauthorized manipulation of EV charging sessions.

Affected Products

  • EVerest EV charging software stack versions prior to 2026.02.0

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-27813 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-27813

Vulnerability Analysis

This vulnerability falls under CWE-416 (Use After Free), a memory corruption class where a program continues to use a pointer after it has been freed. In the context of EVerest, this occurs due to a data race condition between multiple concurrent operations within the EV charging stack.

The vulnerability requires physical access to exploit, as it is triggered by physical EV plug-in/unplug actions combined with authorization events. This limits the attack surface to scenarios where an attacker has direct physical access to the charging infrastructure.

Root Cause

The root cause is a data race condition in EVerest's event handling mechanism. When EV plug-in/unplug events occur simultaneously with authorization events (RFID swipes, RemoteStart commands, or OCPP authorization responses), the software fails to properly synchronize access to shared memory resources. This allows one thread to free memory that another thread is still actively using, resulting in a use-after-free condition.

Attack Vector

The attack requires physical access to an EV charging station running vulnerable EVerest software. An attacker would need to:

  1. Gain physical access to a charging station
  2. Trigger rapid plug-in/unplug sequences while simultaneously initiating authorization events
  3. Exploit the resulting race condition to cause memory corruption

The vulnerability manifests when EV connection state changes and authorization events are processed concurrently without proper synchronization primitives. The timing-dependent nature of the attack (requiring high complexity) means that successful exploitation is not trivially reproducible. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-27813

Indicators of Compromise

  • Unexpected crashes or service restarts of the EVerest charging software
  • Memory corruption errors or segmentation faults in system logs
  • Unusual patterns of plug-in/unplug events combined with failed authorization attempts
  • Core dumps indicating use-after-free memory access patterns

Detection Strategies

  • Monitor EVerest application logs for segmentation faults or memory access violations
  • Implement crash monitoring and alerting for the EVerest service process
  • Review system logs for patterns indicating race condition exploitation attempts
  • Deploy memory sanitizer tools in development/testing environments to detect use-after-free issues

Monitoring Recommendations

  • Enable verbose logging for EV connection state changes and authorization events
  • Implement automated alerting for abnormal patterns of rapid plug/unplug cycles
  • Monitor for correlation between authorization failures and system crashes
  • Track service restarts and core dump generation rates for anomaly detection

How to Mitigate CVE-2026-27813

Immediate Actions Required

  • Upgrade EVerest to version 2026.02.0 or later immediately
  • Review charging station access logs for signs of exploitation attempts
  • Ensure physical security controls are in place to limit unauthorized access to charging infrastructure
  • Consider implementing rate limiting on plug-in/unplug event processing as a defense-in-depth measure

Patch Information

EVerest version 2026.02.0 contains the official patch for this vulnerability. Organizations running EVerest should upgrade to this version or later to remediate the use-after-free condition. Additional details are available in the GitHub Security Advisory.

Workarounds

  • Implement physical access controls to restrict unauthorized access to charging stations
  • Monitor charging stations for unusual activity patterns during authorization events
  • Consider temporarily disabling rapid re-authorization features if the patch cannot be immediately applied
  • Implement watchdog services to automatically restart EVerest in case of crashes while maintaining audit logs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne