{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33009", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.664Z", "datePublished": "2026-03-26T16:39:30.268Z", "dateUpdated": "2026-03-28T02:26:05.370Z"}, "containers": {"cna": {"title": "EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:39:30.268Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock. Version 2026.02.0 contains a patch."}], "source": {"advisory": "GHSA-33qh-fg6f-jjx5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:25:42.838839Z", "id": "CVE-2026-33009", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:26:05.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33009", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:25:42.838839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:26:00.877Z"}}], "cna": {"title": "EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio", "source": {"advisory": "GHSA-33qh-fg6f-jjx5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock. Version 2026.02.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:39:30.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33009", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:26:05.370Z", "dateReserved": "2026-03-17T17:22:14.664Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:39:30.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de veh\u00edculos el\u00e9ctricos. Las versiones anteriores a la 2026.02.0 tienen una condici\u00f3n de carrera de datos que conduce a un comportamiento indefinido (UB) de C++ (potencial corrupci\u00f3n de memoria). Esto se activa mediante un mensaje MQTT 'everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging' y resulta en que 'Charger::shared_context' / 'internal_context' se acceden concurrentemente sin bloqueo. La versi\u00f3n 2026.02.0 contiene un parche."}], "id": "CVE-2026-33009", "lastModified": "2026-03-31T13:30:58.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T17:16:37.813", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T15:38:21.767305+00:00", "value": {"mitigation_remediation": ["Upgrade EVerest everest-core to version 2026.02.0 or later.", "If an upgrade is not immediately possible, configure the MQTT broker to deny or filter `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` messages.", "Ensure the MQTT broker is authenticated, not openly exposed to the internet, and that only authorized clients can publish commands.", "Monitor MQTT traffic for unexpected switch commands and establish alerts for anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Potential Memory Corruption leading to Charger State Disruption"}, "threat_synthesis": {"affected_systems": "All installations of EVerest everest-core running a version earlier than 2026.02.0 are affected. The vulnerability is confined to the core stack developed by the Linux Foundation and does not extend to other vendors or product families.", "description_and_impact": "EVerest is an electric vehicle charging software stack that contains a data race in the handling of the MQTT command `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging`. The race allows simultaneous access to `Charger::shared_context` and `internal_context` without proper locking, resulting in undefined C++ behavior that can corrupt memory and disrupt the charger\u2019s state. This weakness is a classic concurrent modification flaw (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity, but the EPSS probability is below 1% and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is network-based and requires an attacker to have the ability to publish the specific MQTT command to the broker; therefore it is limited to entities with MQTT write access. Version 2026.02.0 contains a patch that removes the race and protects the shared context. Users still exposed to older versions are at risk and should upgrade promptly."}}}}, "created": "2026-03-27T08:33:46.609316+00:00", "updated": "2026-03-31T20:08:48.304940+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}