EVerest ISO15118 Session Setup Use-After-Free Vulnerability Leading to Denial-of-Service

A use-after-free vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises in the ISO15118_chargerImpl::handle_session_setup function, where the v2g_ctx variable is accessed after being freed. This situation occurs when ISO15118 initialization fails, such as in the absence of a valid IPv6 link-local address. An attacker with MQTT access can remotely crash the EVSE process by sending a session_setup command while v2g_ctx has already been released.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition on the EVSE.

Reproduction

To reproduce this vulnerability, first ensure that the EVSE is running without a valid IPv6 link-local address, which will cause the ISO15118 initialization to fail. Despite this failure, the MQTT command handlers will remain active. An attacker can then publish a session_setup command via MQTT. The command will be processed by the ISO15118_chargerImpl::handle_session_setup function, which will dereference the freed v2g_ctx, resulting in a use-after-free error and crashing the process.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability. In addition, it is recommended to ensure that the EVSE has a valid IPv6 link-local address before initiating the ISO15118 connection.