CVE-2026-27828 Overview
CVE-2026-27828 is a Use After Free vulnerability in EVerest, an open-source EV (Electric Vehicle) charging software stack. The vulnerability exists in the ISO15118_chargerImpl::handle_session_setup function, which incorrectly accesses the v2g_ctx context object after it has been freed when ISO15118 initialization fails. This can occur when no IPv6 link-local address is available during initialization. An attacker with MQTT access can remotely crash the EVSE (Electric Vehicle Supply Equipment) process by issuing a session_setup command while the v2g_ctx object has already been released.
Critical Impact
Remote attackers with MQTT access can cause denial of service by crashing the EVSE process, potentially disrupting EV charging infrastructure operations.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-27828 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-27828
Vulnerability Analysis
This Use After Free (CWE-416) vulnerability occurs during error handling in the ISO15118 protocol implementation. The ISO15118 standard defines communication between EVs and charging stations, and the EVerest implementation manages this communication through a context object called v2g_ctx. When initialization of the ISO15118 subsystem fails—particularly when no IPv6 link-local address is configured—the v2g_ctx object is deallocated as part of error cleanup. However, the handle_session_setup function does not properly validate whether this context is still valid before attempting to use it, leading to a use-after-free condition.
The vulnerability is exploitable remotely by attackers who have gained MQTT (Message Queuing Telemetry Transport) access to the charging infrastructure. MQTT is commonly used in IoT deployments including EV charging networks for device communication.
Root Cause
The root cause is improper memory management in the error handling path of the ISO15118 initialization routine. When initialization fails due to network configuration issues (such as missing IPv6 link-local addresses), the v2g_ctx context object is freed but the reference to it is not properly invalidated. Subsequent calls to ISO15118_chargerImpl::handle_session_setup attempt to access this freed memory, resulting in undefined behavior that manifests as a process crash.
Attack Vector
The attack requires local access to the MQTT message broker used by the EVerest deployment. An attacker who has compromised or gained access to the MQTT infrastructure can trigger the vulnerability by:
- Waiting for or inducing an ISO15118 initialization failure (e.g., through network manipulation)
- Sending a crafted session_setup command via MQTT
- The command reaches the vulnerable handle_session_setup function which attempts to dereference the freed v2g_ctx pointer
- The EVSE process crashes, causing denial of service
The vulnerability can be triggered repeatedly to maintain a persistent denial of service condition against the charging infrastructure. For technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-27828
Indicators of Compromise
- Unexpected EVSE process crashes or restarts, particularly following network configuration changes
- Unusual MQTT traffic patterns targeting session_setup commands
- Repeated ISO15118 initialization failures in system logs
- Memory-related error messages or core dumps from the EVerest process
Detection Strategies
- Monitor EVSE process stability and implement alerting for unexpected restarts
- Analyze MQTT broker logs for suspicious session_setup command patterns
- Implement anomaly detection on MQTT traffic to identify unauthorized or malformed commands
- Review system logs for ISO15118 initialization failures that could indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for the ISO15118 subsystem to capture initialization failures
- Monitor network configurations for missing IPv6 link-local addresses that could trigger the vulnerable code path
- Implement process monitoring and automatic alerting when EVSE services crash
- Deploy network monitoring to detect unauthorized MQTT access attempts
How to Mitigate CVE-2026-27828
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later which contains the security patch
- Restrict MQTT broker access to authorized systems only using authentication and network segmentation
- Ensure proper IPv6 configuration to reduce likelihood of triggering the vulnerable initialization path
- Implement process supervision to automatically restart crashed EVSE services while patches are being deployed
Patch Information
EVerest version 2026.02.0 contains a patch that addresses this vulnerability by properly validating the v2g_ctx context before use and ensuring the reference is invalidated when the object is freed. Organizations should upgrade to this version or later immediately. The GitHub Security Advisory contains additional details about the fix.
Workarounds
- Implement strict access controls on MQTT brokers to prevent unauthorized command injection
- Deploy network segmentation to isolate EV charging infrastructure from untrusted networks
- Ensure IPv6 is properly configured with link-local addresses to prevent initialization failures
- Monitor and rate-limit session_setup commands to detect and mitigate exploitation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
