CVE-2026-29044

Description

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:* - VULNERABLE

EVerest < 2026.02.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import time
import asyncio

# This is a conceptual PoC to demonstrate the race condition.
# It simulates sending WithdrawAuthorization before TransactionStarted.

async def exploit_everest():
    print("[*] EVerest CVE-2026-29044 PoC Simulation")
    print("[*] Target: EVerest < 2026.02.0")

    # 1. Normal Start Transaction Request
    print("[+] Step 1: Sending StartTransaction request...")
    # Assume this triggers the internal process but the event is delayed

    # 2. Malicious Timing: Send WithdrawAuthorization immediately
    # This is the core of the exploit: race the internal event processing
    print("[+] Step 2: Sending WithdrawAuthorization (Race Condition Triggered)...")
    
    # Simulate system logic vulnerability
    transaction_active = False # Because TransactionStarted event hasn't been processed yet
    
    if not transaction_active:
        print("[!] System Logic Flaw: AuthHandler sees transaction_active=False")
        print("[!] System calls: withdraw_authorization_callback -> Charger::deauthorize()")
        print("[-] System FAILS to send: StopTransaction")
    else:
        print("[-] Patched behavior: StopTransaction would be sent.")

    print("[+] Step 3: TransactionStarted event finally processed.")
    print("[*] Result: Charging continues without authorization (Bypass Successful).")

if __name__ == "__main__":
    asyncio.run(exploit_everest())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29044
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29044
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29044/
[4] VulDB https://vuldb.com/cve/CVE-2026-29044
[5] https://github.com/EVerest/EVerest/security/advisories/GHSA-gx37-p775-qf5v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29044", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:34.503", "lastModified": "2026-03-31T14:40:50.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de vehículos eléctricos. Antes de la versión 2026.02.0, cuando WithdrawAuthorization se procesa antes del evento TransactionStarted, AuthHandler determina que 'transaction_active=false' y solo llama a 'withdraw_authorization_callback'. Esta ruta finalmente llama a 'Charger::deauthorize()', pero no se produce una detención real (StopTransaction) en el estado de Carga. Como resultado, la retirada de la autorización puede ser eludida por el tiempo, permitiendo que la carga continúe. La versión 2026.02.0 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.7, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.02.0", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C"}]}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gx37-p775-qf5v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}