Skip to main content

Everest Core CVE-2026-26073

| EUVDEUVD-2026-16216 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-03-26 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16216
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
CVE Published
Mar 26, 2026 - 16:15 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible std::queue/std::deque corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.

AnalysisAI

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.

Technical ContextAI

EVerest is an open-source EV charging software stack that manages communication protocols including OCPP (Open Charge Point Protocol). The vulnerability stems from a CWE-122 (Heap-based Buffer Overflow) class issue manifesting as a data race in C++ standard library containers (std::queue and std::deque). The root cause involves unsynchronized concurrent access to shared queue structures during powermeter key material updates and EV session state transitions, particularly when the OCPP protocol handler has not yet initialized. Thread sanitizer (TSAN) detects the race condition, while address sanitizer (ASAN) and undefined behavior sanitizer (UBSAN) report misaligned memory access errors. The CPE designation cpe:2.3:a:everest:everest-core identifies the affected product family across all vulnerable versions prior to 2026.02.0.

RemediationAI

Upgrade EVerest (everest-core) to version 2026.02.0 or later, which contains the patch addressing the data race condition. This is the primary and definitive remediation. Organizations unable to immediately patch should implement network segmentation to restrict EV charging station access to trusted infrastructure, disable powermeter key update functionality if operationally feasible, or implement monitoring for TSAN/ASAN runtime errors in logs as a temporary detection control. Consult the vendor advisory at https://github.com/EVerest/EVerest/security/advisories/GHSA-jf36-f4f9-7qc2 for deployment-specific guidance. Testing the patched version in a staging environment prior to production deployment is recommended given the timing-sensitive nature of the original defect.

CVE-2026-22790 HIGH
8.8 Mar 26

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker

CVE-2026-23995 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary

CVE-2026-22593 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica

CVE-2026-33009 HIGH
8.2 Mar 26

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker

CVE-2026-26008 HIGH
7.5 Mar 26

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau

CVE-2026-26074 HIGH
7.0 Mar 26

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co

CVE-2026-27828 MEDIUM
5.5 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg

CVE-2026-27816 MEDIUM
5.5 Mar 26

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl

CVE-2026-27815 MEDIUM
5.5 Mar 26

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr

CVE-2026-27813 MEDIUM
5.3 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo

CVE-2026-33015 MEDIUM
5.2 Mar 26

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by

CVE-2026-33014 MEDIUM
5.2 Mar 26

EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operatio

Share

CVE-2026-26073 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy