CVE-2026-27828 is a use-after-free vulnerability classified under CWE-416 found in the EVerest everest-core software stack, which is used for EV charging infrastructure. The vulnerability arises in the ISO15118_chargerImpl::handle_session_setup function. Specifically, when the ISO15118 initialization fails—commonly due to the absence of an IPv6 link-local address—the v2g_ctx context pointer is freed but subsequently accessed, leading to undefined behavior. This use-after-free condition can be triggered remotely by an attacker who has access to the MQTT interface used by the EVSE (Electric Vehicle Supply Equipment) process. By issuing a crafted session_setup command while the v2g_ctx has been released, the attacker can cause the EVSE process to crash, resulting in a denial of service. The vulnerability does not require authentication, user interaction, or elevated privileges, but it does require local network access to the MQTT broker controlling the EVSE. The CVSS 4.0 vector indicates low attack complexity and no privileges required, but the attack vector is local (AV:L), limiting remote exploitation to those with MQTT access. The vulnerability affects all versions of everest-core prior to 2026.02.0, where the issue has been patched. No exploits have been observed in the wild to date. The vulnerability primarily impacts the availability of EV charging stations relying on the affected software, potentially causing service disruptions and operational downtime.

The primary impact of CVE-2026-27828 is on the availability of EV charging infrastructure components using the vulnerable everest-core software. Successful exploitation results in a crash of the EVSE process, causing denial of service and potentially interrupting EV charging sessions. This can lead to operational disruptions for EV drivers and charging station operators, affecting user experience and potentially causing financial losses. Given the increasing reliance on EV charging networks, widespread exploitation could degrade trust in EV infrastructure. While confidentiality and integrity impacts are not evident, the availability impact is significant for critical infrastructure. The requirement for MQTT access limits the attack surface to local or network-adjacent attackers, reducing the likelihood of large-scale remote exploitation but still posing a risk in environments with insufficient network segmentation or exposed MQTT brokers.

Organizations should immediately upgrade everest-core to version 2026.02.0 or later, which contains the patch for this use-after-free vulnerability. In addition to patching, network segmentation should be enforced to restrict MQTT access only to trusted entities and devices, minimizing the risk of unauthorized command injection. Implement strict access controls and authentication mechanisms on MQTT brokers to prevent unauthorized access. Monitoring and logging MQTT traffic can help detect anomalous session_setup commands indicative of exploitation attempts. Employ runtime protections such as memory safety tools or address sanitizers during development and testing to catch similar issues early. Finally, conduct regular security assessments of EVSE software components and maintain an incident response plan to quickly address potential disruptions caused by such vulnerabilities.