CVE-2026-26071 Overview
CVE-2026-26071 is a race condition vulnerability affecting EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 contain a data race that leads to concurrent access of std::string objects, potentially resulting in a heap-use-after-free condition. This vulnerability is triggered during EVCCID updates (EV/ISO15118) and OCPP session/authorization events.
Critical Impact
This race condition can cause memory corruption leading to denial of service conditions in EV charging infrastructure, potentially disrupting charging operations and affecting availability of charging stations.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
- Systems implementing ISO15118 EVCCID functionality
- OCPP-enabled charging infrastructure using vulnerable EVerest versions
Discovery Timeline
- 2026-03-26 - CVE-2026-26071 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-26071
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Race Condition), specifically a Time-of-Check Time-of-Use (TOCTOU) issue within the EVerest software stack. The flaw arises from improper synchronization when handling std::string objects that are accessed concurrently by multiple threads.
The race condition occurs at the intersection of two critical charging protocol operations: EVCCID updates from the ISO15118 electric vehicle communication controller and OCPP (Open Charge Point Protocol) session/authorization events. When these events occur simultaneously, concurrent access to shared string objects can result in heap-use-after-free memory corruption.
The physical attack vector requirement indicates that exploitation requires local or physical access to the charging infrastructure, which limits remote exploitation scenarios but remains significant for on-site attacks against charging stations.
Root Cause
The root cause is insufficient thread synchronization in the EVerest codebase when handling string data shared between the ISO15118 communication layer and the OCPP session management components. When an EVCCID update occurs concurrently with OCPP authorization events, the std::string objects representing vehicle or session identifiers may be accessed by one thread while being modified or deallocated by another, leading to undefined behavior and potential memory corruption.
Attack Vector
The attack requires physical access to exploit this vulnerability. An attacker with access to the charging infrastructure could potentially trigger the race condition by manipulating the timing of EV communication events (ISO15118) alongside OCPP session events. Successful exploitation could cause the charging controller to crash, resulting in denial of service conditions affecting the charging station's availability.
The heap-use-after-free scenario can occur when one thread frees a string object while another thread still holds a reference to it and attempts to access the deallocated memory. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-26071
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest charging controller software
- Memory corruption errors or segmentation faults in EVerest process logs
- Abnormal patterns in ISO15118 communication timing concurrent with OCPP events
- Core dumps indicating heap corruption in string handling functions
Detection Strategies
- Monitor EVerest application logs for memory access violations and unexpected terminations
- Implement runtime memory sanitizers (AddressSanitizer) in development/testing environments to detect use-after-free conditions
- Track concurrent EVCCID update and OCPP session events for anomalous timing patterns
- Deploy process monitoring to detect repeated crashes of charging controller services
Monitoring Recommendations
- Establish baseline metrics for charging session stability and monitor for deviations
- Configure alerting on EVerest process crashes and automatic restart events
- Review system logs for ThreadSanitizer or AddressSanitizer warnings during testing phases
- Monitor charging station availability metrics for unexplained downtime patterns
How to Mitigate CVE-2026-26071
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later which contains the patch for this vulnerability
- Review and audit any custom integrations with the ISO15118 and OCPP components
- Implement network segmentation to limit physical access to charging infrastructure
- Enable comprehensive logging for charging controller operations to detect exploitation attempts
Patch Information
EVerest version 2026.02.0 contains a patch that addresses this race condition vulnerability. The fix implements proper thread synchronization mechanisms to prevent concurrent access to shared string objects during EVCCID updates and OCPP session handling. Organizations should update to this version as soon as possible.
For additional details about the patch and affected versions, consult the EVerest Security Advisory.
Workarounds
- Limit physical access to charging stations and associated control systems to authorized personnel only
- Consider temporarily disabling automatic OCPP session updates if feasible for your deployment
- Implement additional process monitoring and automatic recovery mechanisms to minimize downtime impact
- Isolate vulnerable charging infrastructure from untrusted networks until patching is complete
# Configuration example
# Update EVerest to patched version
git fetch --tags
git checkout 2026.02.0
# Rebuild with the patched version
mkdir -p build && cd build
cmake ..
make -j$(nproc)
make install
# Restart EVerest services
systemctl restart everest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
