CVE-2026-26074

HIGH

EVerest: OCPP201 startup event_queue lock mismatch leads to std::map/std::queue data race

Title source: cna
STIX 2.1

Description

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::map<std::queue>` corruption. The trigger is CSMS GetLog/UpdateFirmware request (network) with an EVSE fault event (physical). This results in TSAN reports concurrent access (data race) to `event_queue`. Version 2026.2.0 contains a patch.

References (1)

Scores

CVSS v3 7.0
EPSS 0.0005
EPSS Percentile 16.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-362
Status published
Products (2)
EVerest/everest-core < 2026.02.0
linuxfoundation/everest < 2026.02.0
Published Mar 26, 2026
Tracked Since Mar 26, 2026