CVE-2026-26071
Data Race and Heap-Use-After-Free in EVerest EV Charging Stack
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26071 is a moderate severity vulnerability in the everest-core package, specifically affecting OCPP 2.0.1 implementations within the EVerest EV charging software stack.
The issue is a data race condition involving concurrent access to a std::map<int32_t, std::string> named evse_evcc_id, which stores EVCC IDs keyed by EVSE IDs. Multiple threads access this map without any locking or synchronization.
One thread writes to the map during EVInfo updates triggered by EV/ISO15118 events, while other threads read from it during OCPP session and authorization event processing. Since std::string is not thread-safe, simultaneous read/write operations can cause heap use-after-free errors and heap corruption.
This vulnerability arises from the lack of thread-safe handling of evse_evcc_id during concurrent EVInfo updates and session event processing, leading to unsafe concurrent access of std::string objects stored in the map.
How can this vulnerability impact me? :
The primary impact of this vulnerability is on the availability of the EVerest EV charging software stack.
Exploitation can lead to heap use-after-free errors and heap corruption, which may cause crashes or instability in the software.
The CVSS v3.1 score indicates a moderate severity with high impact on availability but no impact on confidentiality or integrity.
Exploitation requires physical access and is complex, but no privileges or user interaction are needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a data race condition in the everest-core package affecting concurrent access to a std::map containing std::string objects. Detection can be performed by using dynamic analysis tools that identify data races and heap-use-after-free errors.
- Run ThreadSanitizer (TSAN) during testing or runtime to detect data races related to concurrent access of the evse_evcc_id map.
- Use AddressSanitizer (ASAN) to detect heap-use-after-free errors caused by unsafe concurrent access to std::string objects.
Specific commands depend on your build and test environment, but typical commands include compiling the software with TSAN or ASAN enabled and running the relevant EV charging software workflows that trigger EVInfo updates and OCPP session events.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the everest-core package to version 2026.02.0 or later, which contains a patch that fixes the data race condition by properly synchronizing access to the evse_evcc_id map.
Until the upgrade can be applied, limit physical access to the affected systems since exploitation requires physical access and is complex.
Monitor the system for crashes or heap corruption symptoms that may indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-26071 primarily impacts availability due to potential crashes or heap corruption caused by unsafe concurrent access to data structures. There is no indication that confidentiality or integrity of data is affected.
Since the vulnerability does not compromise confidentiality or integrity of personal or sensitive data, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which focus on protecting personal data privacy and security.
However, the availability impact could indirectly affect compliance if the EV charging software is part of a critical infrastructure or service that must maintain uptime and reliability under regulatory requirements.