CVE-2026-26070 is a concurrency vulnerability classified under CWE-362 (Race Condition) affecting the EVerest everest-core software stack used in electric vehicle (EV) charging systems. The vulnerability exists in versions prior to 2026.02.0 due to improper synchronization when accessing a shared std::map container holding std::optional elements. Specifically, concurrent operations triggered by an EV State of Charge (SoC) update, a powermeter periodic update, and an unplugging or SessionFinished event can cause simultaneous access to this container without adequate locking mechanisms. This data race can corrupt the container or the optional objects it holds, potentially leading to undefined behavior such as crashes or memory corruption. The vulnerability impacts availability by causing denial of service conditions in the charging software, but does not compromise confidentiality or integrity of data. The CVSS v3.1 score is 4.6 (medium severity) with vector AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that exploitation requires physical or local network access but no privileges or user interaction. No public exploits are currently known. The vendor patched the issue in version 2026.02.0 by implementing proper synchronization to prevent concurrent access issues. This vulnerability is particularly relevant to organizations operating EV charging infrastructure that relies on EVerest everest-core, as disruption could impact EV charging availability and user experience.

The primary impact of CVE-2026-26070 is on the availability of EV charging services using the affected EVerest everest-core software. Successful exploitation can cause crashes or instability due to container corruption from concurrent unsynchronized access, leading to denial of service conditions. This can disrupt EV charging sessions, potentially stranding users or causing operational delays. While confidentiality and integrity are not affected, the availability impact can have significant operational and reputational consequences for charging network operators, utilities, and service providers. In large-scale deployments, widespread disruption could affect grid load management and EV fleet operations. The medium CVSS score reflects moderate risk, but the physical or local network access requirement limits remote exploitation. Nonetheless, attackers with local access or insider capabilities could trigger the race condition. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid service interruptions and maintain trust in EV infrastructure.

1. Upgrade to EVerest everest-core version 2026.02.0 or later, which contains the official patch fixing the race condition by implementing proper synchronization mechanisms. 2. If immediate upgrade is not feasible, implement strict access controls to limit local or network access to the charging software environment, reducing the risk of triggering the race condition. 3. Monitor EV charging system logs and stability metrics for signs of crashes or unexpected restarts that may indicate exploitation attempts. 4. Conduct code audits and concurrency testing on custom or integrated components interacting with the everest-core to identify and remediate similar synchronization issues. 5. Employ runtime protections such as memory corruption detection tools or containerization to isolate the charging software and minimize impact of potential crashes. 6. Coordinate with EV infrastructure vendors and operators to ensure timely patch deployment and incident response readiness. 7. Educate operational staff on the importance of applying updates and monitoring for anomalies related to charging session disruptions.