Skip to main content

Everest CVE-2026-26071

| EUVDEUVD-2026-16205 MEDIUM
Race Condition (CWE-362)
2026-03-26 security-advisories@github.com
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 15:22 euvd
EUVD-2026-16205
Analysis Generated
Mar 26, 2026 - 15:22 vuln.today
CVE Published
Mar 26, 2026 - 15:16 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::string concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.

AnalysisAI

EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by concurrent EVCCID updates and OCPP session events, potentially leading to heap-use-after-free and denial of service. Local attackers with physical access to the charging infrastructure can exploit this timing-dependent vulnerability to crash the charging service. A patch is available in version 2026.02.0 or later.

Technical ContextAI

EVerest is an open-source EV charging software stack that implements multiple concurrent protocols including ISO 15118 (EV-to-charger communication) and OCPP (Open Charge Point Protocol) for session management. The vulnerability exists in the core charger management logic where EVCCID (Electric Vehicle Communication Controller Identification) strings are updated by multiple concurrent event handlers without proper synchronization. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), where unsynchronized access to std::string objects in C++ can lead to undefined behavior, memory corruption, and potential heap-use-after-free conditions when the string's internal buffer is reallocated or freed while another thread is accessing it. This is particularly dangerous in embedded charging infrastructure where protocol handlers operate asynchronously.

RemediationAI

Upgrade EVerest Core to version 2026.02.0 or later, which contains the synchronization fix for concurrent std::string access. The patched version is available from the EVerest project repository. Until patching is feasible, charging station operators should monitor system logs for unexpected terminations or crashes during high-concurrency charging sessions (multiple vehicles initiating authentication simultaneously) and consider implementing watchdog timers or automated restart mechanisms to minimize availability impact. For new deployments, use version 2026.02.0 or later exclusively. Network isolation of charging infrastructure from untrusted networks provides defense-in-depth but does not mitigate the underlying race condition. See the vendor advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw for detailed patch notes and upgrade procedures.

CVE-2025-68137 HIGH POC
8.3 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse

CVE-2025-68141 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes`

CVE-2025-68136 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates

CVE-2025-68133 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's

CVE-2025-68135 MEDIUM POC
6.5 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by

CVE-2025-68132 MEDIUM POC
4.6 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermet

CVE-2026-23955 MEDIUM POC
4.2 Jan 21

Everest EV charging software prior to version 2025.9.0 contains an improper pointer arithmetic flaw in error handling wh

CVE-2025-68134 HIGH
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors

CVE-2026-24003 MEDIUM
4.3 Jan 26

EVerest is an EV charging software stack. [CVSS 4.3 MEDIUM]

CVE-2025-68140 MEDIUM
4.3 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has b

CVE-2025-68139 MEDIUM
4.3 Jan 21

EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminat

CVE-2026-26072 MEDIUM
4.2 Mar 26

EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corr

Share

CVE-2026-26071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy