Severity by source
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::map<std::optional> concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.
AnalysisAI
EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corrupt internal data structures when EV state-of-charge updates coincide with power meter refreshes and session termination events. Local attackers with physical access to charging equipment can trigger this condition to cause denial of service by crashing the charging system. Patch availability is limited to version 2026.02.0 and later.
Technical ContextAI
The vulnerability is rooted in CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), a race condition affecting concurrent access to a std::map container holding std::optional elements. In EVerest, this manifests when three concurrent operations occur without proper locking: EV state-of-charge (SoC) updates from the vehicle, periodic power meter readings from connected hardware, and session state transitions (unplugging events or SessionFinished status changes). The std::map and std::optional types lack internal thread-safety guarantees in standard C++ libraries, and unsynchronized concurrent modification can lead to iterator invalidation, container corruption, and undefined behavior. EVerest is identified via affected version everest-core < 2026.02.0, indicating this is the core EV charging orchestration component.
RemediationAI
Upgrade EVerest to version 2026.02.0 or later to obtain the patch that resolves the std::map<std::optional> race condition. Until patching is feasible, restrict physical access to charging stations and power meter hardware to authorized personnel only, reducing the likelihood of triggering the concurrent SoC update, power meter periodic read, and session termination conditions simultaneously. Implement monitoring and logging of session state transitions and power meter events to detect unexpected container corruption or state machine anomalies. Consult the official GitHub security advisory (https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v) for detailed deployment guidance and any configuration hardening recommendations from the EVerest maintainers.
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse
EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes`
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by
EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermet
Everest EV charging software prior to version 2025.9.0 contains an improper pointer arithmetic flaw in error handling wh
EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors
EVerest is an EV charging software stack. [CVSS 4.3 MEDIUM]
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has b
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminat
EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by con
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16207