CVE-2026-26074 Overview
CVE-2026-26074 is a race condition vulnerability affecting EVerest, an open-source EV charging software stack. Versions prior to 2026.02.0 contain a data race that can lead to corruption of std::map<std::queue> data structures. The vulnerability is triggered when a CSMS (Charging Station Management System) GetLog or UpdateFirmware request arrives over the network simultaneously with an EVSE (Electric Vehicle Supply Equipment) fault event on the physical layer.
Critical Impact
This race condition can cause concurrent access to the event_queue, potentially leading to memory corruption, application crashes, and denial of service for EV charging infrastructure.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-26074 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-26074
Vulnerability Analysis
This vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a race condition. The flaw exists in the event handling mechanism of EVerest where two independent events—a network-based CSMS command and a physical EVSE fault event—can simultaneously access the shared event_queue data structure without proper synchronization primitives.
When both events attempt to modify the std::map<std::queue> structure concurrently, the lack of thread-safe access controls can result in data corruption. Thread Sanitizer (TSAN) reports confirm concurrent access patterns that violate memory safety guarantees.
Root Cause
The root cause is improper synchronization when accessing the shared event_queue data structure. The EVerest software does not implement adequate locking mechanisms or atomic operations to prevent simultaneous read/write operations from multiple execution contexts. When network-triggered firmware update or log retrieval commands execute alongside hardware fault event handlers, both code paths attempt to manipulate the queue without mutual exclusion.
Attack Vector
The attack requires network access to send CSMS protocol commands (GetLog or UpdateFirmware requests) to a vulnerable EVerest instance. However, exploitation is not straightforward as it also requires timing coincidence with an EVSE fault event on the physical hardware layer. This makes the attack vector network-based but with high complexity due to the timing requirements.
An attacker with network access to the charging station management interface could potentially trigger repeated GetLog or UpdateFirmware requests while waiting for or inducing physical fault conditions, increasing the probability of hitting the race condition window. Successful exploitation could crash the charging station software, causing denial of service to EV charging infrastructure.
Detection Methods for CVE-2026-26074
Indicators of Compromise
- Unexpected crashes or restarts of the EVerest service, particularly during firmware update or log retrieval operations
- TSAN (Thread Sanitizer) reports in debug builds showing concurrent access to event_queue
- Corrupted log files or incomplete firmware update operations
- Anomalous timing patterns in CSMS command processing
Detection Strategies
- Monitor EVerest process stability and log for segmentation faults or memory access violations
- Implement runtime monitoring for unexpected service restarts during CSMS command processing
- Deploy application-level logging to track concurrent access patterns to shared data structures
- Use memory debugging tools in test environments to identify race condition triggers
Monitoring Recommendations
- Enable comprehensive logging for all CSMS protocol commands (GetLog, UpdateFirmware) with timestamps
- Implement health checks that detect and alert on unexpected EVerest service terminations
- Monitor for rapid repeated CSMS command submissions that could indicate exploitation attempts
- Track correlation between EVSE fault events and network command timing
How to Mitigate CVE-2026-26074
Immediate Actions Required
- Upgrade EVerest to version 2026.2.0 or later which contains the security patch
- Review network access controls to limit CSMS command sources to trusted management systems
- Implement rate limiting on GetLog and UpdateFirmware commands if not already present
- Monitor charging stations for unexpected service disruptions
Patch Information
EVerest version 2026.2.0 contains the fix for this vulnerability. The patch implements proper synchronization mechanisms to prevent concurrent access to the event_queue data structure. Organizations running EVerest should upgrade to this version or later to remediate the vulnerability. Additional details are available in the GitHub Security Advisory.
Workarounds
- Restrict network access to CSMS interfaces to trusted IP addresses only until patching is complete
- Implement network-level rate limiting for CSMS protocol commands
- Consider temporarily disabling remote GetLog and UpdateFirmware functionality in high-risk environments if operationally feasible
- Deploy monitoring to detect and respond quickly to any service disruptions
No specific configuration workaround is available as the fix requires the updated code with proper synchronization. Upgrading to the patched version is the recommended remediation approach.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
