CVE-2026-27815 Overview
CVE-2026-27815 is an out-of-bounds write vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the ISO15118_chargerImpl::handle_session_setup function, which copies a variable-length payment_options list into a fixed-size array of length 2 without performing bounds checking. Because schema validation is disabled by default, attackers can craft oversized MQTT command payloads that trigger out-of-bounds writes, potentially corrupting adjacent EVSE (Electric Vehicle Supply Equipment) state or crashing the process entirely.
Critical Impact
Attackers with local access can exploit this vulnerability to cause denial of service by crashing the EV charging process, potentially disrupting charging station operations.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-27815 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-27815
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a memory corruption issue that occurs when software writes data past the end or before the beginning of an intended buffer. In the context of EVerest, the ISO15118_chargerImpl::handle_session_setup function allocates a fixed-size array capable of holding only 2 payment option entries. When processing incoming MQTT command payloads, the function directly copies the payment_options list without validating that the source data fits within the destination buffer's bounds.
The vulnerability is exacerbated by the fact that schema validation is disabled by default in EVerest deployments. This design choice means that malformed or malicious MQTT payloads containing more than 2 payment options are not rejected at the input validation layer, allowing them to reach the vulnerable code path.
Root Cause
The root cause is a missing bounds check in the ISO15118_chargerImpl::handle_session_setup function. The code assumes the payment_options list will never exceed 2 elements, but does not enforce this constraint. When the function receives a list with more than 2 entries, it continues writing beyond the allocated array boundary, corrupting adjacent memory structures including EVSE state data.
Attack Vector
The attack requires local access to send crafted MQTT command payloads to the EVerest charging system. An attacker can construct an oversized payment_options array containing more than 2 entries in the MQTT Cmd payload. When the vulnerable function processes this payload, the out-of-bounds write occurs, which can corrupt adjacent EVSE state variables or trigger a process crash. Since schema validation is disabled by default, no preliminary validation prevents the malicious payload from being processed.
The vulnerability manifests during ISO 15118 session setup handling when processing payment options from MQTT command messages. Technical details and the specific vulnerable code pattern are documented in the GitHub Security Advisory.
Detection Methods for CVE-2026-27815
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest charging process
- EVSE state corruption manifesting as inconsistent charging behavior
- MQTT message logs showing abnormally large payment_options arrays (more than 2 entries)
- Core dumps or memory access violation errors in system logs
Detection Strategies
- Monitor MQTT message traffic for payloads containing payment_options arrays exceeding the expected 2-element limit
- Implement logging and alerting on EVerest process crashes or unexpected restarts
- Deploy memory corruption detection tools to identify out-of-bounds write attempts
- Audit MQTT broker access controls to detect unauthorized local connections
Monitoring Recommendations
- Enable verbose logging for ISO 15118 session setup events
- Set up automated alerting for EVerest service availability and process health
- Monitor system logs for segmentation faults or memory access violations
- Implement network monitoring to track MQTT command patterns to charging infrastructure
How to Mitigate CVE-2026-27815
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later, which contains the security patch
- Enable schema validation on MQTT command processing to reject malformed payloads
- Restrict local access to systems running EVerest to authorized personnel only
- Review and harden MQTT broker access controls
Patch Information
The EVerest project has released version 2026.02.0 which contains a patch for this vulnerability. The fix adds proper bounds checking to the ISO15118_chargerImpl::handle_session_setup function to ensure that payment_options lists exceeding the fixed array size are properly handled. Organizations should upgrade to this version as soon as possible. Additional details are available in the GitHub Security Advisory.
Workarounds
- Enable schema validation for MQTT command processing to filter out oversized payloads before they reach vulnerable code paths
- Implement network segmentation to restrict MQTT access to trusted components only
- Deploy application-level firewalls or input validation proxies to sanitize incoming MQTT payloads
- Monitor and limit the size of incoming MQTT messages to prevent oversized arrays from being processed
If immediate patching is not possible, enabling schema validation provides a defense-in-depth measure to reject malformed payloads. Consult the GitHub Security Advisory for specific configuration guidance.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
