Skip to main content

Everest Core CVE-2026-26070

| EUVDEUVD-2026-16203 MEDIUM
Race Condition (CWE-362)
2026-03-26 GitHub_M
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 15:00 euvd
EUVD-2026-16203
Analysis Generated
Mar 26, 2026 - 15:00 vuln.today
CVE Published
Mar 26, 2026 - 14:45 nvd
MEDIUM 4.6

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::map<std::optional> concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished state. Version 2026.2.0 contains a patch.

AnalysisAI

Concurrent access to std::map<std::optional> in EVerest-Core versions prior to 2026.02.0 causes a data race condition that can corrupt container state during simultaneous EV state-of-charge updates, power meter periodic updates, and session termination events, resulting in denial of service of the EV charging stack. EVerest-Core (cpe:2.3:a:everest:everest-core) is the affected product, with patched version 2026.02.0 available. No public exploit code has been identified at time of analysis, and this vulnerability is not confirmed actively exploited; however, the condition is readily triggerable through normal charging operations combining multiple concurrent data sources.

Technical ContextAI

EVerest is an open-source EV charging software stack that manages real-time state across multiple concurrent data streams including vehicle state-of-charge telemetry, AC/DC power meter readings, and session lifecycle events. The vulnerability is rooted in CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), specifically a race condition within std::map<std::optional> container operations. The affected product is identified via CPE cpe:2.3:a:everest:everest-core:*:*:*:*:*:*:*:*. The race occurs when three concurrent operations interact: (1) EV SoC update threads writing vehicle state, (2) power meter periodic update threads reading/writing meter data, and (3) session lifecycle transitions (unplugging or SessionFinished state changes). Without proper synchronization primitives (mutexes, atomics, or lock-free structures), concurrent map access results in undefined behavior, including iterator invalidation, double-deletion, or memory corruption of the optional wrapper itself.

RemediationAI

Upgrade EVerest-Core to version 2026.02.0 or later as released by the EVerest project. For deployments unable to immediately patch, implement network-level isolation of charging station management interfaces and power meter communication streams to reduce the likelihood of concurrent data stream interference, though this does not eliminate the underlying race condition. Monitor system logs for unexpected session terminations or availability drops, which may indicate exploitation attempts or trigger conditions. Deploy the upgrade at the earliest maintenance window, as the patch directly addresses the synchronization defect without known side effects.

CVE-2026-22790 HIGH
8.8 Mar 26

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker

CVE-2026-23995 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary

CVE-2026-22593 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica

CVE-2026-33009 HIGH
8.2 Mar 26

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker

CVE-2026-26008 HIGH
7.5 Mar 26

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau

CVE-2026-26074 HIGH
7.0 Mar 26

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co

CVE-2026-26073 MEDIUM
5.9 Mar 26

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr

CVE-2026-27828 MEDIUM
5.5 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg

CVE-2026-27816 MEDIUM
5.5 Mar 26

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl

CVE-2026-27815 MEDIUM
5.5 Mar 26

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr

CVE-2026-27813 MEDIUM
5.3 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo

CVE-2026-33015 MEDIUM
5.2 Mar 26

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by

Share

CVE-2026-26070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy