A data race occurs in the startup event_queue of the EVerest EV charging software stack. The race between concurrent accesses to a std::map of std::queue structures can corrupt the internal data, potentially causing malfunctioning of the charging infrastructure or denial of service. The vulnerability may expose the system to inconsistent states that could be exploited for further attacks if contingent on corrupted data. The root cause is a synchronization flaw in the handling of event_queue.

EVerest EV charging software stack, specifically the everest-core component. All releases prior to version 2026.02.0 are vulnerable. The affected code resides in the event handling module responsible for processing network requests from the CSMS and fault events from the EVSE.

The CVSS score is 7, indicating a high severity. The EPSS score of less than 1% suggests that exploitation is unlikely to be widespread, and the vulnerability is not listed in the CISA KEV catalog. The attack vector, inferred from the description, requires an attacker to send CSMS GetLog or UpdateFirmware requests while simultaneously an EVSE fault event occurs. This combination of a network request with a physical fault condition indicates that both a network-facing and a physical component must be engaged, which may reduce the breadth of potential attackers. However, the presence of a data race means that an attacker could precipitate service disruption if the conditions are met.