Is Race Condition affected by EUVD-2026-16218?

EVerest-core, an open-source EV charging software stack, contains a race condition vulnerability that allows remote attackers to corrupt critical data structures during concurrent firmware updates or diagnostic log requests and charging equipment faults.

EUVD-2026-16218

| CVE-2026-26074 HIGH

2026-03-26 GitHub_M

7.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 16:45 vuln.today

EUVD ID Assigned

Mar 26, 2026 - 16:45 euvd

EUVD-2026-16218

CVE Published

Mar 26, 2026 - 16:19 nvd

HIGH 7.0

Description

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::map<std::queue>` corruption. The trigger is CSMS GetLog/UpdateFirmware request (network) with an EVSE fault event (physical). This results in TSAN reports concurrent access (data race) to `event_queue`. Version 2026.2.0 contains a patch.

Analysis

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to corrupt critical data structures when CSMS GetLog or UpdateFirmware requests coincide with EVSE fault events, potentially causing information disclosure, data integrity issues, and high availability impact. The vulnerability affects all versions prior to 2026.02.0, for which a vendor patch is available. …

Remediation

Within 24 hours: Verify your EVerest-core version and inventory all affected deployments across charging networks. Within 7 days: Apply vendor patch to upgrade to version 2026.02.0 or later on all production and non-production instances; prioritize systems exposed to CSMS (Charging Station Management System) integration. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +35

POC: 0

EUVD-2026-16218 vulnerability details – vuln.today

Back

EUVD-2026-16218

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-16218

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code