Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap corruption via data race in EVerest event queue
Action: Patch Immediately
AI Analysis

Impact

EVerest’s event queue includes a lock‑free insertion routine that suffers from a data race. When a powerMeter public‑key update occurs concurrently with an EV session or error event before OCPP has started, the race corrupts std::queue or std::deque objects, causing heap corruption. The corruption is observed as runtime failures reported by TSAN, ASAN, or UBSAN and can lead to application crashes.

Affected Systems

EVerest Core versions released before 2026.02.0 are affected, including any EV charging deployments that use the everest‑core product prior to that patch.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. An EPSS score below 1 % suggests exploitation in the wild is currently low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a specific sequence of events—triggering a power‑meter public‑key update followed by an EV session or error event while OCPP is not yet active—which indicates a targeted scenario, though the exact attack vector is not explicitly stated.

Generated by OpenCVE AI on March 31, 2026 at 06:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2026.02.0 patch or later from EVerest Core
  • Verify that all deployed EV charging software uses the patched version

Generated by OpenCVE AI on March 31, 2026 at 06:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
Weaknesses CWE-787
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.
Title EVerest: OCPP 1.6 heap corruption caused by lock-free insertion in event_queue
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.240Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26073

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:46.777Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:33.250

Modified: 2026-03-30T21:04:21.080

Link: CVE-2026-26073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:57Z

Weaknesses