What is the CVSS score of CVE-2026-33009?

CVE-2026-33009 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H. EPSS exploitation probability: 0.0%.

Which versions of EVerest are affected by CVE-2026-33009?

CVE-2026-33009 affects EVerest EV charging software versions prior to 2026.02.0, allowing unauthenticated remote attackers to corrupt shared memory and disrupt charging operations through malicious…. A patch is available.

EVerest CVE-2026-33009

EUVD-2026-16250 HIGH

Race Condition (CWE-362)

2026-03-26 GitHub_M

Buffer Overflow Race Condition

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:13 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2026.02.0

EUVD ID Assigned

Mar 26, 2026 - 16:45 euvd

EUVD-2026-16250

Analysis Generated

Mar 26, 2026 - 16:45 vuln.today

CVE Published

Mar 26, 2026 - 16:39 nvd

HIGH 8.2

DescriptionNVD

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging message and results in Charger::shared_context / internal_context accessed concurrently without lock. Version 2026.02.0 contains a patch.

AnalysisAI

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. …

RemediationAI

Within 24 hours: Inventory all EVerest deployments and confirm current version numbers; isolate MQTT endpoints from untrusted networks if immediate patching is not feasible. Within 7 days: Apply vendor-released patch to upgrade all affected systems to version 2026.02.0 or later and validate patch installation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33009 vulnerability details – vuln.today

Back

EVerest CVE-2026-33009

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code