Skip to main content

Everest CVE-2026-26072

| EUVDEUVD-2026-16207 MEDIUM
Race Condition (CWE-362)
2026-03-26 security-advisories@github.com
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 15:22 euvd
EUVD-2026-16207
Analysis Generated
Mar 26, 2026 - 15:22 vuln.today
CVE Published
Mar 26, 2026 - 15:16 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::map<std::optional> concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.

AnalysisAI

EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corrupt internal data structures when EV state-of-charge updates coincide with power meter refreshes and session termination events. Local attackers with physical access to charging equipment can trigger this condition to cause denial of service by crashing the charging system. Patch availability is limited to version 2026.02.0 and later.

Technical ContextAI

The vulnerability is rooted in CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), a race condition affecting concurrent access to a std::map container holding std::optional elements. In EVerest, this manifests when three concurrent operations occur without proper locking: EV state-of-charge (SoC) updates from the vehicle, periodic power meter readings from connected hardware, and session state transitions (unplugging events or SessionFinished status changes). The std::map and std::optional types lack internal thread-safety guarantees in standard C++ libraries, and unsynchronized concurrent modification can lead to iterator invalidation, container corruption, and undefined behavior. EVerest is identified via affected version everest-core < 2026.02.0, indicating this is the core EV charging orchestration component.

RemediationAI

Upgrade EVerest to version 2026.02.0 or later to obtain the patch that resolves the std::map<std::optional> race condition. Until patching is feasible, restrict physical access to charging stations and power meter hardware to authorized personnel only, reducing the likelihood of triggering the concurrent SoC update, power meter periodic read, and session termination conditions simultaneously. Implement monitoring and logging of session state transitions and power meter events to detect unexpected container corruption or state machine anomalies. Consult the official GitHub security advisory (https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v) for detailed deployment guidance and any configuration hardening recommendations from the EVerest maintainers.

CVE-2025-68137 HIGH POC
8.3 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse

CVE-2025-68141 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes`

CVE-2025-68136 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates

CVE-2025-68133 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's

CVE-2025-68135 MEDIUM POC
6.5 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by

CVE-2025-68132 MEDIUM POC
4.6 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermet

CVE-2026-23955 MEDIUM POC
4.2 Jan 21

Everest EV charging software prior to version 2025.9.0 contains an improper pointer arithmetic flaw in error handling wh

CVE-2025-68134 HIGH
7.4 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors

CVE-2026-24003 MEDIUM
4.3 Jan 26

EVerest is an EV charging software stack. [CVSS 4.3 MEDIUM]

CVE-2025-68140 MEDIUM
4.3 Jan 21

EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has b

CVE-2025-68139 MEDIUM
4.3 Jan 21

EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminat

CVE-2026-26071 MEDIUM
4.2 Mar 26

EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by con

Share

CVE-2026-26072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy