{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26072", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.901Z", "datePublished": "2026-03-26T14:50:15.206Z", "dateUpdated": "2026-03-26T18:48:59.324Z"}, "containers": {"cna": {"title": "EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:50:15.206Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}], "source": {"advisory": "GHSA-9xwc-49c4-p79v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:48:50.798983Z", "id": "CVE-2026-26072", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:48:59.324Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:48:50.798983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:48:55.398Z"}}], "cna": {"title": "EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map", "source": {"advisory": "GHSA-9xwc-49c4-p79v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:50:15.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26072", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:48:59.324Z", "dateReserved": "2026-02-10T18:01:31.901Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T14:50:15.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue."}], "id": "CVE-2026-26072", "lastModified": "2026-03-26T15:16:33.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T15:16:33.010", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-9xwc-49c4-p79v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-26T17:52:17.332097+00:00", "value": {"mitigation_remediation": ["Upgrade everest\u2011core to version 2026.02.0 or later", "Validate that all deployed instances have applied the patch", "If patching cannot be performed immediately, monitor station logs for abnormal SoC changes or crashes and enforce safe shutdown procedures"], "summary": {"action": "Patch", "impact": "Data Corruption and Service Disruption"}, "threat_synthesis": {"affected_systems": "The affected component is the everest\u2011core module in the EVerest distribution. All releases prior to 2026.02.0 that implement the OCPP 1.6 evse_soc_map feature are vulnerable. Installations of this software stack from any vendor that bundles everest\u2011core are at risk.", "description_and_impact": "EVerest, an EV charging software stack, contains a race condition that corrupts a std::map of optional values when simultaneous EV state\u2011of\u2011charge updates, periodic power meter updates, and session termination events occur. The flaw is a classic data\u2011race weakness (CWE\u2011362) that can lead to data corruption, causing the system to report incorrect SoC or to crash, thereby compromising data integrity and availability of the charging service.", "risk_and_exploitability": "The CVSS score of 4.2 indicates low to moderate severity. No exploitation has been documented in public catalogs or the CISA KEV list, and the EPSS score is unavailable. Exploitation would require an attacker to orchestrate the specific sequence of messages \u2013 an EV SoC update, a power\u2011meter periodic update, and an unplug/session finished status \u2013 which is a limited attack window and unlikely to be automated. As a result, the risk to most deployments is low unless an attacker can trigger the exact conditions."}}}}, "created": "2026-03-27T08:34:04.079675+00:00", "updated": "2026-03-27T09:26:30.864455+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}