Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible std::map<std::queue> corruption. The trigger is CSMS GetLog/UpdateFirmware request (network) with an EVSE fault event (physical). This results in TSAN reports concurrent access (data race) to event_queue. Version 2026.2.0 contains a patch.
AnalysisAI
Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to corrupt critical data structures when CSMS GetLog or UpdateFirmware requests coincide with EVSE fault events, potentially causing information disclosure, data integrity issues, and high availability impact. The vulnerability affects all versions prior to 2026.02.0, for which a vendor patch is available. SSVC analysis indicates no current exploitation, non-automatable attack surface, and partial technical impact. EPSS data not provided; no public exploit identified at time of analysis.
Technical ContextAI
EVerest-core (cpe:2.3:a:everest:everest-core) is an open-source software stack for electric vehicle charging infrastructure, managing communication between charging stations and central management systems (CSMS). The vulnerability is a classic race condition (CWE-362) where simultaneous network-triggered administrative commands (GetLog, UpdateFirmware via CSMS protocol) and physical hardware events (EVSE faults) cause unsynchronized access to a shared std::map containing std::queue objects. Thread Sanitizer (TSAN) tooling detected the concurrent writes to the event_queue data structure. Without proper mutex protection or atomic operations, this data race can corrupt the C++ Standard Template Library containers, leading to unpredictable behavior including memory corruption, leaked sensitive log data, or denial of service when the queue state becomes inconsistent.
RemediationAI
Upgrade EVerest everest-core to version 2026.02.0 or later, which contains a vendor-released patch addressing the data race condition (see GitHub advisory GHSA-p3hg-vqgv-h524 at https://github.com/EVerest/EVerest/security/advisories/GHSA-p3hg-vqgv-h524). Until patching is possible, implement network segmentation to restrict CSMS protocol access to trusted management networks only, reducing exposure to unauthenticated remote attackers. Monitor charging stations for anomalous behavior including unexpected restarts or log corruption following GetLog or UpdateFirmware operations coinciding with hardware fault events. Consider rate-limiting CSMS administrative commands during peak operational periods when EVSE faults are more probable. For critical infrastructure deployments, test the patch in non-production environments first to validate compatibility with existing CSMS integrations.
More in Everest Core
View allRemote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo
EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by
EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operatio
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16218