{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26072", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.901Z", "datePublished": "2026-03-26T14:50:15.206Z", "dateUpdated": "2026-03-26T18:48:59.324Z"}, "containers": {"cna": {"title": "EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:50:15.206Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}], "source": {"advisory": "GHSA-9xwc-49c4-p79v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:48:50.798983Z", "id": "CVE-2026-26072", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:48:59.324Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:48:50.798983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:48:55.398Z"}}], "cna": {"title": "EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map", "source": {"advisory": "GHSA-9xwc-49c4-p79v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:50:15.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26072", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:48:59.324Z", "dateReserved": "2026-02-10T18:01:31.901Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T14:50:15.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE. Las versiones anteriores a la 2026.02.0 tienen una condici\u00f3n de carrera de datos que lleva a un acceso concurrente a 'std::map' (posible corrupci\u00f3n del contenedor/opcional). El desencadenante es la actualizaci\u00f3n del SoC del VE con la actualizaci\u00f3n peri\u00f3dica del medidor de potencia y el estado de desconexi\u00f3n/Sesi\u00f3nFinalizada. La versi\u00f3n 2026.02.0 corrige el problema."}], "id": "CVE-2026-26072", "lastModified": "2026-03-31T13:06:06.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T15:16:33.010", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T14:37:54.403528+00:00", "value": {"mitigation_remediation": ["Upgrade EVerest to version 2026.02.0 or later to apply the vendor patch.", "If an upgrade is not immediately possible, suspend power\u2011meter updates or SoC updates during session transitions such as unplugging or SessionFinished to avoid concurrent access.", "Disable or throttle EV SoC update requests from the vehicle while the power meter is active until the issue is resolved.", "Continuously monitor EVSE logs for crashes or abnormal exceptions related to map operations and apply the patch as soon as possible."], "summary": {"action": "Patch Upgrade", "impact": "Race condition causing std::map corruption which can lead to application crashes and service instability"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the everest-core stack of EVerest, the open\u2011source electric\u2011vehicle charging software. All releases before version 2026.02.0 are affected; version 2026.02.0 includes the fix.", "description_and_impact": "EVerest 1.6 and earlier versions contain a concurrency flaw where simultaneous updates to the EV state\u2011of\u2011charge (SoC) map and power\u2011meter readings lead to corruption of a std::map holding optional entries. The defect is a classic data\u2011race (CWE\u2011362) that may cause the map to become inconsistent, potentially resulting in application crashes, unpredictable behavior, or denial of service of the charging station software. No direct exploitation path is described in the source, but the inconsistency can crash the server or drop charging sessions.", "risk_and_exploitability": "The CVSS score of 4.2 indicates moderate severity, and the EPSS score is below 1\u202f%, suggesting a low estimated exploitation probability. The vulnerability is not listed in the CISA KEV catalog, reinforcing the low threat level. The likely attack vector is local access or an attacker that can induce concurrent SoC updates from the vehicle and periodic power\u2011meter updates while the vehicle is unplugged or the session is finished. Inferences indicate that an attacker would need direct or privileged interaction with the EVSE to trigger the race, making remote exploitation unlikely under normal conditions."}}}}, "created": "2026-03-27T08:34:04.079675+00:00", "updated": "2026-03-31T20:08:58.058059+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}