Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible std::queue/std::deque corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.
AnalysisAI
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.
Technical ContextAI
EVerest is an open-source EV charging software stack that manages communication protocols including OCPP (Open Charge Point Protocol). The vulnerability stems from a CWE-122 (Heap-based Buffer Overflow) class issue manifesting as a data race in C++ standard library containers (std::queue and std::deque). The root cause involves unsynchronized concurrent access to shared queue structures during powermeter key material updates and EV session state transitions, particularly when the OCPP protocol handler has not yet initialized. Thread sanitizer (TSAN) detects the race condition, while address sanitizer (ASAN) and undefined behavior sanitizer (UBSAN) report misaligned memory access errors. The CPE designation cpe:2.3:a:everest:everest-core identifies the affected product family across all vulnerable versions prior to 2026.02.0.
RemediationAI
Upgrade EVerest (everest-core) to version 2026.02.0 or later, which contains the patch addressing the data race condition. This is the primary and definitive remediation. Organizations unable to immediately patch should implement network segmentation to restrict EV charging station access to trusted infrastructure, disable powermeter key update functionality if operationally feasible, or implement monitoring for TSAN/ASAN runtime errors in logs as a temporary detection control. Consult the vendor advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-jf36-f4f9-7qc2 for deployment-specific guidance. Testing the patched version in a staging environment prior to production deployment is recommended given the timing-sensitive nature of the original defect.
More in Everest Core
View allRemote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau
Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo
EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by
EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operatio
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16216