CVE-2026-26072

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26072
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.

4.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
History

31 Mar 2026, 13:06

Type Values Removed Values Added
References () https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v - () https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v - Vendor Advisory
CPE cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
First Time Linuxfoundation
Linuxfoundation everest

30 Mar 2026, 13:26

Type Values Removed Values Added
Summary
  • (es) EVerest es una pila de software de carga de VE. Las versiones anteriores a la 2026.02.0 tienen una condición de carrera de datos que lleva a un acceso concurrente a 'std::map' (posible corrupción del contenedor/opcional). El desencadenante es la actualización del SoC del VE con la actualización periódica del medidor de potencia y el estado de desconexión/SesiónFinalizada. La versión 2026.02.0 corrige el problema.

26 Mar 2026, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-26 15:16

Updated : 2026-03-31 13:06

NVD link : CVE-2026-26072

Mitre link : CVE-2026-26072

CVE.ORG link : CVE-2026-26072

JSON object : View

Products Affected

linuxfoundation

  • everest
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')