CVE-2025-68136 in everest-core
Summary
by MITRE • 01/21/2026
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability described in CVE-2025-68136 affects EVerest, an open-source electric vehicle charging software stack that implements the ISO15118-20 communication protocol for EV charging stations. This flaw represents a classic memory management issue that manifests through improper resource cleanup and object lifecycle handling within the SDP (Secure Data Protocol) request processing mechanism. The vulnerability exists in versions prior to 2025.10.0 and stems from inadequate handling of connection objects during SDP request processing.
The technical flaw occurs when the EVerest module processes an SDP request and creates new objects including `Session` and `IConnection` instances that establish new TCP sockets for ISO15118-20 communications. The system fails to properly close or destroy the previous connection objects and their associated file descriptors before creating new ones. This results in a memory leak scenario where the previous `Session` objects remain in memory without proper cleanup, while the `unique_ptr` responsible for managing these resources becomes orphaned. The improper resource management creates a situation where file descriptors are not properly closed, leading to resource exhaustion and potential system instability.
The operational impact of this vulnerability is significant within the EV charging infrastructure context. When multiple SDP requests are processed in sequence, each new request creates a new connection without cleaning up the previous one, causing the system to accumulate unused connection objects and file descriptors. The critical aspect occurs when the system attempts to use a socket that is not the most recently created one, leading to a null pointer dereference condition. This type of memory corruption vulnerability can result in application crashes, service interruptions, and potentially provide an attacker with opportunities for denial of service attacks against EV charging stations. The vulnerability specifically aligns with CWE-415, which addresses double free errors, and CWE-416, which covers use after free conditions, though the manifestation here is through improper resource cleanup rather than direct memory corruption.
The root cause analysis reveals a fundamental flaw in the object lifecycle management within the SDP request handler. The system demonstrates poor resource management practices where connection cleanup is not properly enforced before creating new connections, and the existing `unique_ptr` mechanism is not properly utilized to ensure automatic resource deallocation. This type of vulnerability pattern is commonly observed in embedded systems and protocol implementations where resource constraints and connection state management become complex. The issue demonstrates characteristics consistent with ATT&CK technique T1499.004, which involves network disruption through resource exhaustion, and represents a classic example of inadequate memory management in real-time embedded systems. The fix implemented in version 2025.10.0 addresses the core problem by ensuring proper cleanup of previous connection objects and file descriptors before creating new ones, thereby preventing the accumulation of orphaned resources and eliminating the null pointer dereference condition that could occur when accessing previously created but improperly cleaned up connections.