CVE-2025-68136
January 21, 2026
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like "Session", "IConnection" which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous "Session" is not saved and the usage of an "unique_ptr" is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue.
Affected Packages
https://github.com/EVerest/everest-core.git (GITHUB):
Affected version(s) >=2022-11.0 <2025.10.0Fix Suggestion:
Update to version 2025.10.0Related ResourcesĀ (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.3
Attack Vector
ADJACENT
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
7.4
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
EPSS
Base Score:
0.04
