CVE-2026-27816 Overview
CVE-2026-27816 is an out-of-bounds write vulnerability affecting EVerest, an open-source EV charging software stack. The vulnerability exists in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, which copies a variable-length list into a fixed-size array of length 6 without performing bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes, potentially corrupting adjacent EVSE (Electric Vehicle Supply Equipment) state or causing the process to crash.
Critical Impact
Attackers with local access can exploit this vulnerability to cause denial of service conditions on EV charging infrastructure by sending malformed MQTT payloads that crash the charging process or corrupt operational state.
Affected Products
- EVerest EV charging software stack (versions prior to 2026.02.0)
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-27816 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-27816
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a memory corruption issue that occurs when a program writes data past the boundaries of allocated memory. In the context of EVerest, the ISO15118_chargerImpl::handle_update_energy_transfer_modes function implements handling for energy transfer mode updates as part of the ISO 15118 charging communication protocol.
The fundamental flaw stems from the function accepting variable-length input data and copying it directly into a statically-sized array capable of holding only 6 elements. When input data exceeds this capacity, the write operation continues past the array's boundaries, corrupting adjacent memory regions used for EVSE state management.
The attack surface is expanded by the default configuration having schema validation disabled for MQTT command payloads. This means malformed or oversized payloads are not rejected at the protocol validation layer, allowing them to reach the vulnerable code path.
Root Cause
The root cause is insufficient bounds checking in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function. The function assumes incoming energy transfer mode data will not exceed 6 entries, matching the fixed-size destination array. However, without explicit validation, attackers can craft MQTT payloads containing more than 6 energy transfer modes. When processed, these oversized payloads write beyond the array boundary, corrupting adjacent memory structures including EVSE operational state variables.
Attack Vector
The attack requires local access to the system running EVerest. An attacker must be able to send MQTT messages to the charging station's message broker. The attack sequence involves:
- Identifying the MQTT broker endpoint used by the EVerest deployment
- Crafting a malicious MQTT Cmd payload containing more than 6 energy transfer mode entries
- Sending the payload to trigger the vulnerable handle_update_energy_transfer_modes function
- The out-of-bounds write corrupts EVSE state data or causes process termination
Since schema validation is disabled by default, the malformed payload passes initial validation checks and reaches the vulnerable function. The exploitation does not require authentication credentials beyond MQTT broker access, though local system access is necessary.
Detection Methods for CVE-2026-27816
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest charging process
- EVSE state corruption manifesting as erratic charging behavior
- Abnormally large MQTT Cmd payloads in message broker logs
- Memory corruption errors or segmentation faults in system logs
Detection Strategies
- Monitor MQTT traffic for payloads containing energy transfer mode arrays exceeding 6 entries
- Implement process monitoring to detect unexpected termination of EVerest services
- Deploy memory corruption detection tools on systems running EVerest
- Enable verbose logging for ISO 15118 protocol handling functions
Monitoring Recommendations
- Configure alerting for EVerest process crashes or abnormal restarts
- Implement MQTT payload size thresholds and alert on anomalies
- Monitor system logs for memory-related errors from EVerest components
- Track EVSE state changes for unexplained modifications
How to Mitigate CVE-2026-27816
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later, which contains the patch
- Enable MQTT schema validation to reject malformed payloads before they reach vulnerable code
- Restrict MQTT broker access to authorized systems only
- Monitor for indicators of exploitation on unpatched systems
Patch Information
EVerest version 2026.02.0 contains a fix for this vulnerability. The patch implements proper bounds checking in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function to ensure input data does not exceed the destination array capacity. Organizations should upgrade to this version as soon as possible. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Enable MQTT schema validation to enforce payload structure constraints and reject oversized arrays
- Implement network segmentation to restrict access to MQTT broker endpoints
- Deploy application-layer firewalls to filter malformed MQTT traffic
- Limit MQTT broker access to authenticated and authorized clients only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
