Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished state. Version 2026.2.0 contains a patch.
Published: 2026-03-26
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

A race condition exists in EVerest’s EV charging software stack that allows concurrent access to a std::map<std::optional> during an EV State of Charge (SoC) update, a power meter periodic update, and an unplug or SessionFinished event. The simultaneous operations can corrupt the internal container and cause the charge point to crash. The primary impact is a denial of service, disrupting the availability of the charging point for vehicles.

Affected Systems

The vulnerability affects the EVerest everest-core software stack in all releases prior to version 2026.02.0. Versions 2026.2.0 and later contain a patch that removes the data race.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker sending an EV SoC update command while the system is performing a power meter update and the vehicle is unplugged or the session is finished, triggering the race. Because the flaw does not provide remote code execution or privilege escalation, the exploitation is confined to causing a crash of the charge point. Users running affected versions should consider the risk low to moderate in a controlled environment but should still apply the fix promptly.

Generated by OpenCVE AI on March 31, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest everest-core to version 2026.2.0 or later

Generated by OpenCVE AI on March 31, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished state. Version 2026.2.0 contains a patch.
Title EVerest: OCPP 2.0.1 EV SoC Update Race Causes Charge Point Crash
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:24:32.921Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26070

cve-icon Vulnrichment

Updated: 2026-03-26T17:50:15.514Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T15:16:32.680

Modified: 2026-03-31T13:07:31.953

Link: CVE-2026-26070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:09:00Z

Weaknesses