PT-2026-28463 · Everest · Everest
Finder16
·
Published
2026-03-26
·
Updated
2026-03-27
·
CVE-2026-33009
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
EVerest versions prior to 2026.02.0
Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race condition leading to C++ undefined behavior (UB), potentially resulting in memory corruption. This issue is triggered by an MQTT message sent to the
everest external/nodered/{connector}/cmd/switch three phases while charging API endpoint. The issue involves concurrent access to Charger::shared context and internal context without proper locking mechanisms.Recommendations
Versions prior to 2026.02.0 should be updated to version 2026.02.0 or later.
Exploit
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Everest