Can you explain this vulnerability to me?

CVE-2026-33009 is a data race vulnerability in the Everest EVSE (Electric Vehicle Supply Equipment) core software. It occurs when the software concurrently accesses and modifies shared charger state data without proper synchronization, specifically triggered by an MQTT message on the topic 'everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging'.

The vulnerability arises because the method handling this MQTT command modifies shared state variables such as 'shared_context' and 'internal_context' without acquiring any locks, while another method, 'run_state_machine()', concurrently accesses and modifies the same shared state. This unsynchronized concurrent access leads to a data race, causing undefined behavior in C++ and potential memory corruption.

This data race can corrupt the charger's internal state machine, potentially causing malfunction in charging control operations like PWM or relay switching. The issue was detected using ThreadSanitizer and is fixed in Everest-core version 2026.02.0 by adding proper locking mechanisms.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to corruption of the charger's internal state machine, resulting in incorrect operation of charging controls such as PWM or relay switching.

Such malfunctions may cause unsafe charging behavior, potentially posing safety and security risks to the electric vehicle charging process.

Because the issue involves memory corruption and undefined behavior, it could also lead to charger instability or crashes, impacting reliability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for data races in the Everest EVSE software, particularly involving concurrent access to shared charger state variables triggered by MQTT messages on the topic `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging`.

A practical detection method involves running the Everest software with ThreadSanitizer (TSAN) enabled, which can identify the data race condition between the `switch_three_phases_while_charging()` and `run_state_machine()` methods.

• Use ThreadSanitizer by compiling the Everest software with the `-fsanitize=thread` flag.
• Run the provided PoC test in `ChargerTest.cpp` that simulates concurrent execution of the vulnerable functions to reproduce the race condition.
• Monitor MQTT traffic for messages on the topic `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` to identify triggering events.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Everest EVSE software to version 2026.02.0 or later, which contains a patch that introduces proper locking and synchronization to prevent the data race.

Until the upgrade can be applied, avoid sending MQTT messages on the topic `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` to prevent triggering the vulnerable code path.

Additionally, consider disabling or restricting access to the MQTT interface that handles the phase switching commands to reduce exposure.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0