Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging message and results in Charger::shared_context / internal_context accessed concurrently without lock. Version 2026.02.0 contains a patch.
AnalysisAI
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).
Technical ContextAI
EVerest is an open-source electric vehicle charging station software stack deployed in EV infrastructure implementations. The vulnerability affects everest-core (CPE: cpe:2.3:a:everest:everest-core:*:*:*:*:*:*:*:*) and stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, commonly called a race condition). The flaw manifests when the MQTT message broker delivers everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging commands that trigger concurrent access to Charger::shared_context and internal_context data structures without mutex protection. This classic thread-safety violation in C++ creates undefined behavior where memory reads and writes may interleave unpredictably, potentially causing memory corruption, use-after-free conditions, or state inconsistencies in charging control logic.
RemediationAI
Upgrade EVerest everest-core to version 2026.02.0 or later, which contains the vendor-released patch addressing the concurrent access vulnerability (see https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5). Until patching is feasible, implement network-level controls to restrict MQTT broker access to trusted administrative networks only, filtering the everest_external/nodered/*/cmd/switch_three_phases_while_charging message topic at the MQTT broker level if dynamic phase-switching is not operationally required. Deploy intrusion detection signatures monitoring for anomalous MQTT message patterns targeting EVerest command topics. Given the network-accessible attack vector without authentication requirements, prioritize patching for internet-facing or multi-tenant charging infrastructure deployments.
More in Everest Core
View allRemote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau
Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo
EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by
EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operatio
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16250