Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.
Published: 2026-03-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap corruption enabling potential instability or exploitation
Action: Immediate Patch
AI Analysis

Impact

A data race in the lock‑free insertion of events into the event_queue can corrupt the heap in EVerest's everest-core component, as observed by tools such as TSAN and ASAN. The corruption may lead to application crashes or, depending on how the corrupted memory is used, to further control of the process. The weakness is a classic heap buffer corruption (CWE‑122).

Affected Systems

The vulnerability affects EVerest everest‑core versions released before 2026.02.0. Any deployment of EVerest that has not been updated to 2026.02.0 or later is susceptible. The specific trigger occurs when a powermeter public key update is processed together with EV session or error events while the OCPP interface has not yet started.

Risk and Exploitability

The CVSS base score is 5.9, indicating moderate severity. No EPSS information is available and the issue is not listed in CISA’s KEV catalog. The attack vector is likely internal, requiring the EV charging system to perform the constrained sequence of events (powermeter key update and EV session or error handling). Because the flaw does not expose a remote code execution path, exploitation risk is moderate but could still affect the integrity and availability of the charging station software.

Generated by OpenCVE AI on March 26, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EVerest everest-core to version 2026.02.0 or later.
  • If an immediate update is not possible, isolate the OCPP interface so it does not start during powermeter public key updates, and avoid triggering EV session or error events at that time.
  • Monitor the application for crashes or abnormal behavior, and review system logs for ASAN/UBSAN or UNSAFE errors.
  • Apply any future vendor patches or advisories as they are released.

Generated by OpenCVE AI on March 26, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch.
Title EVerest: OCPP 1.6 heap corruption caused by lock-free insertion in event_queue
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Everest Everest-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.240Z

Reserved: 2026-02-10T18:01:31.901Z

Link: CVE-2026-26073

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:46.777Z

cve-icon NVD

Status : Received

Published: 2026-03-26T17:16:33.250

Modified: 2026-03-26T17:16:33.250

Link: CVE-2026-26073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:28Z

Weaknesses