Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Heap Use‑After‑Free leading to memory corruption or application crash
Action: Immediate Patch
AI Analysis

Impact

A data race in the EVerest EV charging software allows concurrent access to a std::string representing the EVCCID. This race can free the heap memory while another thread still references it, causing a heap‑use‑after‑free. The resulting memory corruption could crash the application or, in a worst‑case scenario, allow unpredictable execution behavior. The weakness is categorized as a data race (CWE‑362) and heap use‑after‑free (CWE‑416).

Affected Systems

The vulnerable component is EVerest’s everest‑core stack. All releases older than version 2026.02.0 are affected. Version 2026.02.0 contains the patch that removes the race condition.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate impact, while the EPSS score of less than 1% suggests low probability of exploitation in the current threat landscape. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely require an attacker to trigger simultaneous EVCCID updates and OCPP session/authorization events, implying that the attack vector is logical rather than network‑directed. The lack of a publicly known exploit further reduces immediate risk, but the potential for application instability remains.

Generated by OpenCVE AI on March 31, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to EVerest version 2026.02.0 or later.

Generated by OpenCVE AI on March 31, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Title EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use‑After‑Free
Weaknesses CWE-362
CWE-416
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.381Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26071

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:49.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T15:16:32.847

Modified: 2026-03-31T13:06:47.847

Link: CVE-2026-26071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:59Z

Weaknesses