EVerest ISO15118-20 Null Pointer Dereference Vulnerability Leading to Denial-of-Service

A null pointer dereference vulnerability has been identified in EVerest, an EV charging software stack, in versions prior to 2025.10.0. The issue arises in the ISO15118-20 communication module, where the handling of Session objects and TCP sockets is flawed. When a Service Discovery Protocol (SDP) request is received, a new Session and connection object are created, opening a new TCP socket for communication. However, the previous Session is not properly closed or destroyed, leading to a loss of connection data. This mismanagement allows for a null pointer dereference, causing a crash in the module and shutting down all processes and functionalities related to the Electric Vehicle Supply Equipment (EVSE).

Impact

Exploitation of this vulnerability causes the EVerest module to crash, terminating all associated processes and disrupting EVSE operations.

Reproduction

The vulnerability can be reproduced by sending multiple SDP requests over IPv6. Each request triggers the creation of a new TCP socket for ISO15118-20 communication, without closing the previous ones. After sending approximately ten requests, the module will have opened multiple sockets that can be observed using netstat. Connecting to one of these sockets will cause the module to crash, due to a null pointer dereference.

Remediation

Users should update to EVerest version 2025.10.0 or later, where this vulnerability has been fixed.