CVE-2026-33009

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2026.02.0

Description EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race condition leading to C++ undefined behavior (UB), potentially resulting in memory corruption. This issue is triggered by an MQTT message sent to the everest external/nodered/{connector}/cmd/switch three phases while charging API endpoint. The issue involves concurrent access to Charger::shared context and internal context without proper locking mechanisms.

Recommendations Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.