CVE-2026-27814 identifies a concurrency vulnerability classified as CWE-362 (Race Condition) in the EVerest everest-core software, an EV charging stack widely used to manage electric vehicle charging sessions. The flaw exists in versions prior to 2026.02.0 and is triggered when a request to switch charging modes from 1-phase to 3-phase (`ac_switch_three_phases_while_charging`) executes concurrently with the internal state machine loop responsible for managing charging states. This concurrent execution leads to a data race condition in C++ code, causing undefined behavior (UB) such as memory corruption or inconsistent state. The root cause is improper synchronization of shared resources accessed by multiple threads or processes without adequate locking or atomic operations. The vulnerability can result in integrity loss by corrupting charging session data or availability issues by causing crashes or hangs in the charging software. The CVSS v3.1 base score is 4.2, reflecting medium severity due to the requirement of network access with high attack complexity, no privileges, and no user interaction. The scope is unchanged, and confidentiality is not impacted. The vendor released version 2026.02.0 containing a patch that properly synchronizes access to shared resources, eliminating the race condition. No public exploits or active attacks have been reported to date. This vulnerability is particularly relevant to organizations operating EV charging infrastructure using EVerest software, as it could disrupt charging operations or cause denial of service conditions.

The primary impact of CVE-2026-27814 is on the integrity and availability of EV charging systems running affected versions of EVerest everest-core. Exploitation can lead to corrupted charging session data or inconsistent state transitions, potentially causing incorrect charging behavior or failures. This may result in denial of service for EV users, operational disruptions for charging station operators, and potential safety concerns if charging states are improperly managed. While confidentiality is not affected, the reliability and trustworthiness of EV charging infrastructure could be undermined. Organizations relying on this software for critical EV charging services may face customer dissatisfaction, reputational damage, and operational costs associated with downtime or manual intervention. The medium CVSS score reflects that exploitation requires network access and is complex, limiting widespread exploitation but still posing a tangible risk to targeted infrastructure.

To mitigate CVE-2026-27814, organizations should immediately upgrade EVerest everest-core to version 2026.02.0 or later, which contains the official patch addressing the race condition. In environments where immediate upgrade is not feasible, implement strict concurrency controls such as mutexes or locks around the shared resources involved in charging mode switching and state machine operations to prevent concurrent execution. Conduct thorough code reviews and dynamic testing focusing on multi-threaded interactions within the charging software to detect similar synchronization issues. Monitor network traffic to EV charging stations for anomalous or repeated charging mode switch requests that could trigger the race condition. Employ network segmentation and access controls to restrict access to charging management interfaces, reducing the attack surface. Maintain up-to-date backups and incident response plans to quickly recover from potential disruptions. Collaborate with the vendor for any additional recommended security updates or mitigations.