CVE-2026-26070 Overview
CVE-2026-26070 is a race condition vulnerability affecting EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 contain a data race that can lead to std::map<std::optional> concurrent access, resulting in container or optional corruption. This vulnerability is triggered when an EV State of Charge (SoC) update occurs simultaneously with a powermeter periodic update and an unplugging or SessionFinished state transition.
Critical Impact
The race condition can cause memory corruption and denial of service in EV charging infrastructure, potentially disrupting charging sessions and causing system instability.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-26070 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-26070
Vulnerability Analysis
This vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a race condition. The flaw exists in the handling of concurrent operations within the EVerest software stack when multiple events occur simultaneously during EV charging sessions.
The vulnerability manifests when the software attempts to update the std::map<std::optional> data structure from multiple execution contexts without proper synchronization mechanisms. In C++, the Standard Template Library (STL) containers like std::map are not thread-safe by default, and concurrent read/write operations can lead to undefined behavior, including data corruption, crashes, or unpredictable system states.
The attack requires physical access to the charging infrastructure, which limits the attack surface but remains a concern for publicly accessible EV charging stations.
Root Cause
The root cause is improper synchronization when accessing shared data structures. Specifically, when three events coincide—an EV State of Charge update, a powermeter periodic update, and an unplugging or SessionFinished state change—multiple threads attempt to access and modify the same std::map<std::optional> container concurrently without adequate locking or atomic operations.
This results in a Time-of-Check Time-of-Use (TOCTOU) scenario where the container state can change between when it is checked and when it is used, leading to memory corruption and potential denial of service.
Attack Vector
The attack vector requires physical access to the EV charging station. An attacker would need to manipulate the timing of events during a charging session to trigger the race condition. The specific trigger conditions are:
- Initiating or receiving an EV State of Charge (SoC) update
- Coinciding with a powermeter periodic update cycle
- Unplugging the vehicle or triggering a SessionFinished state
The vulnerability exploitation scenario involves precise timing manipulation at physical EV charging infrastructure. For detailed technical information about the specific code paths involved, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-26070
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest charging controller software
- Corrupted charging session logs or missing session data
- Abnormal memory usage patterns in the EVerest process
- Error messages indicating container corruption or invalid iterator access
Detection Strategies
- Monitor EVerest service logs for segmentation faults, assertion failures, or unexpected terminations
- Implement process monitoring to detect abnormal restart patterns of the charging software
- Review system logs for concurrent access errors or memory corruption indicators
- Deploy crash reporting mechanisms to capture core dumps for forensic analysis
Monitoring Recommendations
- Enable verbose logging for charging session state transitions
- Monitor process health and restart frequency for EVerest services
- Implement real-time alerting for service crashes or unexpected behavior
- Track memory utilization patterns to identify potential corruption scenarios
How to Mitigate CVE-2026-26070
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later immediately
- Review deployment configurations for any vulnerable versions
- Monitor charging stations for signs of exploitation or instability
- Consider temporary operational restrictions on vulnerable stations until patched
Patch Information
The EVerest project has released version 2026.2.0 which contains the security patch for this vulnerability. The fix implements proper synchronization mechanisms to prevent concurrent access to the std::map<std::optional> data structure during the identified trigger conditions.
For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Implement rate limiting on state update events to reduce the likelihood of concurrent access
- Consider adding external synchronization wrapper mechanisms if immediate upgrade is not feasible
- Reduce the frequency of powermeter periodic updates temporarily to lower race condition probability
- Monitor affected systems closely and implement automated restart procedures to minimize service disruption
# Verify EVerest version and upgrade if vulnerable
# Check current version
everest --version
# Upgrade to patched version 2026.02.0 or later
# Follow your deployment-specific upgrade procedure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
