EVerest EV Charging Software Data Race Vulnerability in EvseManager Component

A data race vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises from an unsynchronized access to shared state within the EvseManager component, triggered by a 1-phase to 3-phase switch request during the charging or waiting state. This concurrent execution with the state machine loop leads to undefined behavior, allowing for incorrect state transitions and non-deterministic misbehavior in the charging process.

Impact

Exploitation of this vulnerability causes a data race, which is undefined behavior under the C++ memory model. This could result in incorrect state transitions, unintended timing of 1-phase and 3-phase switching, and non-deterministic misbehavior or intermittent failures in the EV charging process.

Reproduction

The vulnerability can be reproduced by sending a 1-phase to 3-phase switch request while the charger is in the charging or waiting state. This request will execute concurrently with the state machine loop, causing a data race on shared context fields related to the charger's current state and phase switching.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability.