Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.
Published: 2026-03-26
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: Data Corruption and Service Disruption
Action: Patch
AI Analysis

Impact

EVerest, an EV charging software stack, contains a race condition that corrupts a std::map of optional values when simultaneous EV state‑of‑charge updates, periodic power meter updates, and session termination events occur. The flaw is a classic data‑race weakness (CWE‑362) that can lead to data corruption, causing the system to report incorrect SoC or to crash, thereby compromising data integrity and availability of the charging service.

Affected Systems

The affected component is the everest‑core module in the EVerest distribution. All releases prior to 2026.02.0 that implement the OCPP 1.6 evse_soc_map feature are vulnerable. Installations of this software stack from any vendor that bundles everest‑core are at risk.

Risk and Exploitability

The CVSS score of 4.2 indicates low to moderate severity. No exploitation has been documented in public catalogs or the CISA KEV list, and the EPSS score is unavailable. Exploitation would require an attacker to orchestrate the specific sequence of messages – an EV SoC update, a power‑meter periodic update, and an unplug/session finished status – which is a limited attack window and unlikely to be automated. As a result, the risk to most deployments is low unless an attacker can trigger the exact conditions.

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade everest‑core to version 2026.02.0 or later
  • Validate that all deployed instances have applied the patch
  • If patching cannot be performed immediately, monitor station logs for abnormal SoC changes or crashes and enforce safe shutdown procedures

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.
Title EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:48:59.324Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26072

cve-icon Vulnrichment

Updated: 2026-03-26T18:48:55.398Z

cve-icon NVD

Status : Received

Published: 2026-03-26T15:16:33.010

Modified: 2026-03-26T15:16:33.010

Link: CVE-2026-26072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:30Z

Weaknesses