Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A data race exists between the handling of evccid updates and OCPP session or authorization events in the EVerest EV charging software stack. The race allows concurrent access to a std::string, which can trigger a heap use‑after‑free. The result is undefined behavior, such as application crashes or memory corruption, but the description does not specify disclosure or other impacts.

Affected Systems

Versions of EVerest everest-core released before 2026.02.0 are affected. Any charging station or backend system running those earlier releases may experience the race condition when handling evccid updates.

Risk and Exploitability

The CVSS score is 4.2, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote: a malicious or compromised EV passenger or an attacker with the ability to send OCPP messages can trigger the race through simultaneous evccid updates and session events. No proof of exploitation is provided in the advisory.

Generated by OpenCVE AI on March 26, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest everest-core to version 2026.02.0 or later, which contains the patch for the race condition.

Generated by OpenCVE AI on March 26, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Title EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use‑After‑Free
Weaknesses CWE-362
CWE-416
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.381Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26071

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:49.801Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T15:16:32.847

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-26071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:31Z

Weaknesses