CVE-2026-26070
Data Race in EVerest EV Charging Software Causes Corruption
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-26070 primarily causes a denial of service by crashing the EV charging software due to a data race condition. There is no indication in the provided information that this vulnerability leads to unauthorized access, data leakage, or compromise of confidentiality or integrity of personal or sensitive data.
Since the CVSS impact metrics specify no confidentiality or integrity impact, and the issue is limited to availability disruption, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which focus on protecting personal data privacy and integrity.
However, availability is a component of some compliance frameworks, so prolonged denial of service could indirectly affect compliance if it impacts service continuity requirements.
Can you explain this vulnerability to me?
CVE-2026-26070 is a moderate severity data race vulnerability in the EVerest EV charging software stack, specifically in the everest-core package versions prior to 2026.02.0.
The issue arises from concurrent unsynchronized access to a shared object called evse_soc_map, which is a std::map that holds State of Charge (SoC) values for electric vehicle supply equipment.
Three asynchronous operations access this map simultaneously without any synchronization: reading SoC values during periodic power meter updates, writing SoC values when new EV information arrives, and resetting SoC values when a charging session finishes.
Because std::map and std::optional are not thread-safe for concurrent modifications, this leads to a data race that can corrupt the internal state of the map or its contained optional objects, causing undefined behavior and potential exceptions.
This vulnerability was confirmed by ThreadSanitizer reports and unit tests reproducing the issue, and it was fixed in version 2026.02.0 by adding proper synchronization.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition.
When the data race corrupts the SoC map during concurrent updates, it can cause the EV charging point software to crash.
This crash results in unavailability of the charging service, potentially interrupting charging sessions and affecting the reliability of the EV charging infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or exceptions related to the EV charging software, specifically looking for errors such as std::bad_optional_access exceptions caused by corrupted optional state in the evse_soc_map.
Detection can also be aided by running ThreadSanitizer (TSAN) on the everest-core package to identify data races involving concurrent access to the evse_soc_map.
Since the issue involves concurrent unsynchronized access to a shared std::map, commands to monitor logs for crash reports or exceptions related to the EVSE SoC updates and power meter callbacks may help.
- Run ThreadSanitizer (TSAN) on the everest-core binary or tests to detect data races.
- Monitor system logs for std::bad_optional_access exceptions or crashes in the EV charging software.
- Use debugging or logging tools to trace concurrent accesses to evse_soc_map in the modules/EVSE/OCPP201/OCPP201.cpp source.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the everest-core package to version 2026.02.0 or later, where the vulnerability has been patched by introducing proper synchronization or redesigning access to the evse_soc_map.
Until the patch is applied, avoid simultaneous operations that trigger concurrent access to the evse_soc_map, such as EV SoC updates, power meter periodic updates, and session finish events occurring at the same time.
If upgrading is not immediately possible, consider implementing external synchronization mechanisms or temporarily disabling features that cause concurrent access to reduce the risk of crashes.