CVE-2026-26072 Overview
CVE-2026-26072 is a data race vulnerability in EVerest, an open-source EV charging software stack. This race condition occurs due to concurrent access to a std::map<std::optional> data structure, which can lead to container and optional corruption. The vulnerability is triggered when an EV State of Charge (SoC) update coincides with a powermeter periodic update and an unplugging or SessionFinished status event.
Critical Impact
This race condition can cause memory corruption in EV charging infrastructure, potentially leading to denial of service conditions that could disrupt charging sessions and affect charging station availability.
Affected Products
- EVerest versions prior to 2026.02.0
- EV charging infrastructure running vulnerable EVerest deployments
- Systems with concurrent EV SoC and powermeter update handling
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-26072 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-26072
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a Race Condition. The issue manifests when multiple threads simultaneously access the std::map<std::optional> container without proper synchronization mechanisms.
In C++ applications, std::map is not thread-safe by default. When multiple threads perform read and write operations on the same map instance concurrently, undefined behavior can occur. The involvement of std::optional as a template parameter adds additional complexity, as corruption of optional state can lead to unpredictable behavior when checking or accessing contained values.
The physical attack vector requirement indicates that an attacker would need proximity to the charging infrastructure to reliably trigger the race condition, though the specific timing conditions involving SoC updates and session state changes make exploitation complex.
Root Cause
The root cause is improper synchronization when handling concurrent events in the EVerest charging stack. Specifically, the code fails to implement proper mutex locking or other thread-safety mechanisms around shared data structures that track charging session state. When an EV SoC update arrives while a powermeter periodic update is being processed and a session termination event occurs (unplugging or SessionFinished), the race condition is triggered.
Attack Vector
The attack requires physical proximity to the EV charging infrastructure. An attacker would need to manipulate the timing of events to trigger the race condition:
- Initiate or observe an active charging session
- Time the attack to coincide with powermeter periodic updates
- Trigger a session termination (unplugging) while SoC updates are being processed
- Exploit the resulting memory corruption to cause denial of service
The vulnerability is exploited by creating specific timing conditions during charging session state transitions. When an EV SoC update occurs simultaneously with a powermeter periodic update during session termination (unplugging or SessionFinished status), the concurrent access to the shared std::map<std::optional> container triggers undefined behavior. This can corrupt the container's internal state or the optional values it holds.
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-26072
Indicators of Compromise
- Unexpected charging session terminations or crashes in EVerest service logs
- Memory corruption errors or segmentation faults in charging station logs
- Inconsistent powermeter readings or SoC data following session events
- Service restarts correlating with unplugging events during active updates
Detection Strategies
- Monitor EVerest service logs for crash reports or unexpected terminations during session state changes
- Implement thread sanitizer (TSan) analysis during development and testing phases
- Deploy runtime monitoring for memory corruption indicators in production environments
- Review system logs for patterns of failures coinciding with SoC updates and session terminations
Monitoring Recommendations
- Configure alerting for EVerest service crashes or unexpected restarts
- Monitor for patterns of charging session interruptions across multiple stations
- Implement health checks that detect inconsistent session state data
- Log and analyze timing correlations between powermeter updates and session events
How to Mitigate CVE-2026-26072
Immediate Actions Required
- Upgrade EVerest installations to version 2026.02.0 or later immediately
- Review charging station logs for evidence of past exploitation attempts
- Implement network segmentation to limit physical access to charging infrastructure
- Enable enhanced logging for session state transitions during the upgrade process
Patch Information
The vulnerability is patched in EVerest version 2026.02.0. Organizations should upgrade to this version or later to remediate the issue. The patch implements proper synchronization mechanisms to prevent concurrent access to the shared data structures.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, reduce powermeter update frequency to minimize race window
- Implement additional physical security controls around charging infrastructure
- Consider temporarily disabling automatic SoC updates if supported by the deployment
- Monitor systems closely for crash events while awaiting patch deployment
# Configuration example - Upgrade EVerest to patched version
# Check current EVerest version
everest --version
# Update to patched version 2026.02.0 or later
# Consult EVerest documentation for your deployment method
git fetch --tags
git checkout 2026.02.0
# Rebuild and redeploy
cmake -B build
cmake --build build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
