CVE-2026-26072
Data Race in EVerest EV Charging Software Causes Corruption
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26072 is a moderate severity race condition vulnerability in the EVerest EV charging software stack, specifically in its OCPP 1.6 implementation. The issue involves concurrent unsynchronized access to a shared data structure called `evse_soc_map`, which is a std::map containing optional state of charge (SoC) values for electric vehicle supply equipment (EVSE) IDs.
Three different threads access this map simultaneously without any synchronization mechanism: one reads SoC values during powermeter updates, another writes SoC values when new EV information arrives, and a third resets SoC values when a charging session finishes. Because std::map is not thread-safe, these concurrent accesses can corrupt the container and its optional values, causing data races and runtime exceptions.
This corruption can lead to application crashes or malfunction. The vulnerability affects versions prior to 2026.02.0, which patched the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability does not impact confidentiality or integrity, as stated in the CVSS metrics. It primarily affects availability by causing potential denial of service through application crashes or malfunction.
Since the vulnerability does not lead to unauthorized access or disclosure of personal or sensitive data, it is unlikely to directly affect compliance with data protection regulations such as GDPR or HIPAA.
However, the availability impact could indirectly affect compliance if the EV charging service is critical and its downtime violates service availability requirements under certain regulations or contractual obligations.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service conditions in the EVerest EV charging software. Specifically, the data race and corruption of the internal map can lead to application crashes or malfunction during EV charging sessions.
While it does not affect confidentiality or integrity of data, the availability of the charging software is impacted, potentially disrupting EV charging operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a data race in the EVerest software's evse_soc_map object, which can lead to runtime exceptions and application crashes.
Detection can involve monitoring for runtime exceptions such as std::bad_optional_access or crashes related to the evse_soc_map container.
Using ThreadSanitizer (TSAN) during testing or runtime can help detect data races caused by concurrent unsynchronized access to evse_soc_map.
No specific network commands are provided, but monitoring application logs for exceptions or crashes related to the EV charging software is recommended.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the EVerest software to version 2026.02.0 or later, where the data race issue has been patched.
Until the upgrade can be applied, avoid triggering the concurrent access pattern involving simultaneous EV SoC updates, powermeter periodic updates, and SessionFinished events.
Implementing synchronization mechanisms such as mutexes around accesses to evse_soc_map can also mitigate the issue if patching is not immediately possible.