CVE-2026-33009 - Vulnerability Details

- EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio

Description

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock. Version 2026.02.0 contains a patch.

Published: 2026-03-26

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

EVerest is an electric vehicle charging software stack that contains a data race in the handling of the MQTT command `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging`. The race allows simultaneous access to `Charger::shared_context` and `internal_context` without proper locking, resulting in undefined C++ behavior that can corrupt memory and disrupt the charger’s state. This weakness is a classic concurrent modification flaw (CWE‑362).

Affected Systems

All installations of EVerest everest-core running a version earlier than 2026.02.0 are affected. The vulnerability is confined to the core stack developed by the Linux Foundation and does not extend to other vendors or product families.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS probability is below 1% and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is network-based and requires an attacker to have the ability to publish the specific MQTT command to the broker; therefore it is limited to entities with MQTT write access. Version 2026.02.0 contains a patch that removes the race and protects the shared context. Users still exposed to older versions are at risk and should upgrade promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

EVerest

everest-core

affected

Version	Status	Constraints
`< 2026.02.0`	affected	—

Configuration 1 [-]

cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Everest

Everest-core

95%

Version	Status	Scheme	Platform
`[0,2026.02.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade EVerest everest-core to version 2026.02.0 or later.
If an upgrade is not immediately possible, configure the MQTT broker to deny or filter `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` messages.
Ensure the MQTT broker is authenticated, not openly exposed to the internet, and that only authorized clients can publish commands.
Monitor MQTT traffic for unexpected switch commands and establish alerts for anomalous activity.

Generated by OpenCVE AI on March 31, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5

History

Tue, 31 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation everest
CPEs		cpe:2.3:o:linuxfoundation:everest::::::::
Vendors & Products		Linuxfoundation Linuxfoundation everest

Sat, 28 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Everest Everest everest-core
Vendors & Products		Everest Everest everest-core

Thu, 26 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock. Version 2026.02.0 contains a patch.
Title		EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio
Weaknesses		CWE-362
References		https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

Subscriptions

Everest Everest-core

Linuxfoundation Everest

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T16:39:30.268Z

Updated: 2026-03-28T02:26:05.370Z

Reserved: 2026-03-17T17:22:14.664Z

Link: CVE-2026-33009

Vulnrichment

Updated: 2026-03-28T02:26:00.877Z

NVD

Status : Analyzed

Published: 2026-03-26T17:16:37.813

Modified: 2026-03-31T13:30:58.910

Link: CVE-2026-33009

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:08:48Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object