Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::map<std::optional> concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished state. Version 2026.2.0 contains a patch.
AnalysisAI
Concurrent access to std::map<std::optional> in EVerest-Core versions prior to 2026.02.0 causes a data race condition that can corrupt container state during simultaneous EV state-of-charge updates, power meter periodic updates, and session termination events, resulting in denial of service of the EV charging stack. EVerest-Core (cpe:2.3:a:everest:everest-core) is the affected product, with patched version 2026.02.0 available. No public exploit code has been identified at time of analysis, and this vulnerability is not confirmed actively exploited; however, the condition is readily triggerable through normal charging operations combining multiple concurrent data sources.
Technical ContextAI
EVerest is an open-source EV charging software stack that manages real-time state across multiple concurrent data streams including vehicle state-of-charge telemetry, AC/DC power meter readings, and session lifecycle events. The vulnerability is rooted in CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), specifically a race condition within std::map<std::optional> container operations. The affected product is identified via CPE cpe:2.3:a:everest:everest-core:*:*:*:*:*:*:*:*. The race occurs when three concurrent operations interact: (1) EV SoC update threads writing vehicle state, (2) power meter periodic update threads reading/writing meter data, and (3) session lifecycle transitions (unplugging or SessionFinished state changes). Without proper synchronization primitives (mutexes, atomics, or lock-free structures), concurrent map access results in undefined behavior, including iterator invalidation, double-deletion, or memory corruption of the optional wrapper itself.
RemediationAI
Upgrade EVerest-Core to version 2026.02.0 or later as released by the EVerest project. For deployments unable to immediately patch, implement network-level isolation of charging station management interfaces and power meter communication streams to reduce the likelihood of concurrent data stream interference, though this does not eliminate the underlying race condition. Monitor system logs for unexpected session terminations or availability drops, which may indicate exploitation attempts or trigger conditions. Deploy the upgrade at the earliest maintenance window, as the patch directly addresses the synchronization defect without known side effects.
More in Everest Core
View allRemote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau
Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo
EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16203