CVE-2026-26073 Overview
CVE-2026-26073 is a race condition vulnerability affecting EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 contain a data race that can lead to corruption of std::queue and std::deque data structures. The vulnerability is triggered when powermeter public key updates occur simultaneously with EV session or error events while the OCPP (Open Charge Point Protocol) service has not yet started. This race condition has been confirmed through TSAN (Thread Sanitizer) data race reports and ASAN/UBSAN (Address/Undefined Behavior Sanitizer) misaligned address runtime errors.
Critical Impact
This vulnerability can cause denial of service conditions in EV charging infrastructure through memory corruption, potentially disrupting charging station operations.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
- Systems running EVerest with OCPP functionality
- EV charging stations utilizing the EVerest software platform
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-26073 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-26073
Vulnerability Analysis
This vulnerability is classified under CWE-122 (Heap-based Buffer Overflow), though the underlying issue manifests as a race condition affecting C++ standard library container integrity. The vulnerability exists in the event handling subsystem of EVerest where concurrent access to shared queue structures occurs without proper synchronization.
When the OCPP service is not yet initialized, multiple threads can simultaneously access the internal event queues during powermeter public key updates and EV session/error event processing. The lack of thread-safe access patterns results in memory corruption that manifests as misaligned memory access and data structure inconsistency.
The network-based attack vector requires precise timing to trigger the race condition, as the attacker must induce the specific sequence of events during the vulnerable window when OCPP has not started but the system is processing powermeter and session events.
Root Cause
The root cause is improper synchronization of shared std::queue and std::deque data structures in the EVerest event handling code. When multiple threads attempt to read and write to these containers concurrently without mutex protection or other synchronization primitives, the internal state of these containers can become corrupted. This is a classic Time-of-Check Time-of-Use (TOCTOU) variant where the state of the queue changes between operations.
Attack Vector
The vulnerability can be exploited remotely over a network connection. An attacker would need to:
- Target an EVerest installation during its startup phase when OCPP is not yet fully initialized
- Trigger powermeter public key update operations
- Simultaneously induce EV session or error events
- The timing of these concurrent operations triggers the race condition
Due to the high attack complexity required to reliably exploit this race condition, the practical exploitability is limited. However, in critical infrastructure environments like EV charging networks, even unreliable denial of service attacks can have significant operational impact.
The vulnerability mechanism involves concurrent access to queue structures without proper synchronization. When the powermeter update thread and the session event handler thread access the shared queue simultaneously, memory corruption can occur. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-26073
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest service during startup sequences
- TSAN reports indicating data races in queue-related operations
- ASAN/UBSAN runtime errors showing misaligned memory addresses
- Abnormal memory consumption patterns in the EVerest process
Detection Strategies
- Deploy ThreadSanitizer (TSAN) builds in test environments to detect data race conditions
- Monitor EVerest service stability during OCPP initialization phases
- Implement runtime instrumentation to detect misaligned memory access patterns
- Review system logs for segmentation faults or memory corruption indicators
Monitoring Recommendations
- Configure alerting for unexpected EVerest service restarts
- Monitor for patterns of concurrent powermeter updates and session events during startup
- Implement health checks that verify OCPP initialization state before accepting events
- Deploy memory profiling tools to detect container corruption symptoms
How to Mitigate CVE-2026-26073
Immediate Actions Required
- Upgrade to EVerest version 2026.02.0 or later which contains the security patch
- If immediate upgrade is not possible, implement rate limiting on powermeter public key updates during startup
- Consider delaying EV session handling until OCPP service is fully initialized
- Review and audit any custom integrations that may trigger concurrent event processing
Patch Information
The vulnerability has been addressed in EVerest version 2026.02.0. The patch introduces proper synchronization mechanisms for the affected queue data structures, preventing concurrent access issues. Organizations should update to this version or later to remediate the vulnerability. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement external synchronization controls to serialize powermeter updates and session events during OCPP startup
- Configure startup sequences to ensure OCPP is fully initialized before accepting external events
- Deploy network-level rate limiting to reduce the likelihood of triggering the race condition
- Consider running EVerest with TSAN in staging environments to detect potential race conditions before production deployment
# Configuration example
# Verify EVerest version to ensure patched version is installed
everest --version
# Expected output should show 2026.02.0 or later
# Check OCPP service status before processing events
systemctl status everest-ocpp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
