EVerest EV Charging Stack Data Race Vulnerability (CVE-2026-26074)
EVerest versions prior to 2026.02.0 exhibit a data race vulnerability (CVE-2026-26074) where concurrent network requests and physical events can corrupt the event queue, leading to potential denial of service or other undefined behavior.
EVerest, an EV charging software stack, is susceptible to a data race vulnerability identified as CVE-2026-26074. This flaw affects versions prior to 2026.02.0. The vulnerability arises from concurrent access to the event_queue, specifically a std::map<std::queue>, when a CSMS (Charging Station Management System) GetLog or UpdateFirmware request (originating from the network) coincides with an EVSE (Electric Vehicle Supply Equipment) fault event (a physical occurrence). This combination of…
Detection coverage 2
Detect EVerest CSMS GetLog/UpdateFirmware Request
lowDetects network connections indicative of a CSMS GetLog or UpdateFirmware request to an EVerest charging station, which may precede a CVE-2026-26074 exploitation attempt when combined with a physical EVSE fault.
EVerest Crash due to Event Queue Corruption
mediumDetects a crash or error message in EVerest logs that indicates corruption of the event queue, potentially triggered by CVE-2026-26074.
Detection queries are kept inside the platform. Get full rules →