{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27814", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.268Z", "datePublished": "2026-03-26T16:27:54.306Z", "dateUpdated": "2026-03-26T18:50:34.592Z"}, "containers": {"cna": {"title": "EVerest EvseManager phase-switch path has unsynchronized shared-state access race condition", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:27:54.306Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase \u2194 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch."}], "source": {"advisory": "GHSA-5528-wc53-v557", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:50:27.710064Z", "id": "CVE-2026-27814", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:50:34.592Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27814", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:50:27.710064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:50:31.598Z"}}], "cna": {"title": "EVerest EvseManager phase-switch path has unsynchronized shared-state access race condition", "source": {"advisory": "GHSA-5528-wc53-v557", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase \u2194 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:27:54.306Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27814", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:50:34.592Z", "dateReserved": "2026-02-24T02:31:33.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:27:54.306Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase \u2194 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de veh\u00edculos el\u00e9ctricos. Las versiones anteriores a la 2026.02.0 tienen una condici\u00f3n de carrera de datos (C++ UB) desencadenada por una solicitud de un switch A de 1 fase ? 3 fases (`ac_switch_three_phases_while_charging`) durante la carga/espera que se ejecuta concurrentemente con el bucle de la m\u00e1quina de estados. La versi\u00f3n 2026.02.0 contiene un parche."}], "id": "CVE-2026-27814", "lastModified": "2026-03-31T14:53:24.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T17:16:33.910", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-5528-wc53-v557"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T16:27:23.164639+00:00", "value": {"mitigation_remediation": ["Upgrade EVerest everest-core to version 2026.02.0 or later, which contains the race\u2011condition fix.", "If upgrading is not immediately possible, disable the ac_switch_three_phases_while_charging feature or restrict access to phase\u2011switch commands until a patch is applied."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "EVerest everest-core, all releases prior to 2026.02.0 are affected. The issue is found in the EV charging software stack maintained by the Linux Foundation.", "description_and_impact": "The vulnerability is an unsynchronized access race in the EvseManager phase\u2011switch path, which can cause undefined behavior when an AC phase switch request is issued while charging. This race condition can lead to inconsistent shared state, resulting in a crash or unpredictable operation of the charging controller, effectively denying service to EV users.", "risk_and_exploitability": "CVSS score is 4.2, reflecting moderate potential impact, and the EPSS score is below 1%, indicating low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote via the EVSE command interface that can trigger the phase\u2011switch request while the state machine loop is active, thereby inducing the race."}}}}, "created": "2026-03-27T08:33:54.055966+00:00", "updated": "2026-03-31T20:08:53.376289+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}