{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26071", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.901Z", "datePublished": "2026-03-26T14:48:30.499Z", "dateUpdated": "2026-03-26T19:52:11.381Z"}, "containers": {"cna": {"title": "EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use\u2011After\u2011Free", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:48:30.499Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch."}], "source": {"advisory": "GHSA-xww8-4hfx-9fjw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26071", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:40:29.126289Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:11.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26071", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:40:29.126289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:49.801Z"}}], "cna": {"title": "EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use\u2011After\u2011Free", "source": {"advisory": "GHSA-xww8-4hfx-9fjw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:48:30.499Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26071", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:11.381Z", "dateReserved": "2026-02-10T18:01:31.901Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T14:48:30.499Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de veh\u00edculos el\u00e9ctricos. Las versiones anteriores a la 2026.02.0 tienen una condici\u00f3n de carrera que lleva a un acceso concurrente a 'std::string', con posible uso despu\u00e9s de liberaci\u00f3n en el heap. Esto se activa por la actualizaci\u00f3n de EVCCID (EV/ISO15118) y los eventos de sesi\u00f3n/autorizaci\u00f3n de OCPP. La versi\u00f3n 2026.02.0 contiene un parche."}], "id": "CVE-2026-26071", "lastModified": "2026-03-31T13:06:47.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T15:16:32.847", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-xww8-4hfx-9fjw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T14:38:08.232942+00:00", "value": {"mitigation_remediation": ["Upgrade to EVerest version 2026.02.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Potential Heap Use\u2011After\u2011Free leading to memory corruption or application crash"}, "threat_synthesis": {"affected_systems": "The vulnerable component is EVerest\u2019s everest\u2011core stack. All releases older than version 2026.02.0 are affected. Version 2026.02.0 contains the patch that removes the race condition.", "description_and_impact": "A data race in the EVerest EV charging software allows concurrent access to a std::string representing the EVCCID. This race can free the heap memory while another thread still references it, causing a heap\u2011use\u2011after\u2011free. The resulting memory corruption could crash the application or, in a worst\u2011case scenario, allow unpredictable execution behavior. The weakness is categorized as a data race (CWE\u2011362) and heap use\u2011after\u2011free (CWE\u2011416).", "risk_and_exploitability": "The CVSS score of 4.2 indicates moderate impact, while the EPSS score of less than 1% suggests low probability of exploitation in the current threat landscape. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely require an attacker to trigger simultaneous EVCCID updates and OCPP session/authorization events, implying that the attack vector is logical rather than network\u2011directed. The lack of a publicly known exploit further reduces immediate risk, but the potential for application instability remains."}}}}, "created": "2026-03-27T08:34:04.954409+00:00", "updated": "2026-03-31T20:08:59.056606+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}