Severity by source
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::string concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
AnalysisAI
EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by concurrent EVCCID updates and OCPP session events, potentially leading to heap-use-after-free and denial of service. Local attackers with physical access to the charging infrastructure can exploit this timing-dependent vulnerability to crash the charging service. A patch is available in version 2026.02.0 or later.
Technical ContextAI
EVerest is an open-source EV charging software stack that implements multiple concurrent protocols including ISO 15118 (EV-to-charger communication) and OCPP (Open Charge Point Protocol) for session management. The vulnerability exists in the core charger management logic where EVCCID (Electric Vehicle Communication Controller Identification) strings are updated by multiple concurrent event handlers without proper synchronization. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), where unsynchronized access to std::string objects in C++ can lead to undefined behavior, memory corruption, and potential heap-use-after-free conditions when the string's internal buffer is reallocated or freed while another thread is accessing it. This is particularly dangerous in embedded charging infrastructure where protocol handlers operate asynchronously.
RemediationAI
Upgrade EVerest Core to version 2026.02.0 or later, which contains the synchronization fix for concurrent std::string access. The patched version is available from the EVerest project repository. Until patching is feasible, charging station operators should monitor system logs for unexpected terminations or crashes during high-concurrency charging sessions (multiple vehicles initiating authentication simultaneously) and consider implementing watchdog timers or automated restart mechanisms to minimize availability impact. For new deployments, use version 2026.02.0 or later exclusively. Network isolation of charging infrastructure from untrusted networks provides defense-in-depth but does not mitigate the underlying race condition. See the vendor advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw for detailed patch notes and upgrade procedures.
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse
EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes`
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by
EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermet
Everest EV charging software prior to version 2025.9.0 contains an improper pointer arithmetic flaw in error handling wh
EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors
EVerest is an EV charging software stack. [CVSS 4.3 MEDIUM]
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has b
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminat
EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corr
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16205