CVE-2026-26071 is a concurrency vulnerability in the everest-core component of the EVerest EV charging software stack. The flaw arises from improper synchronization when accessing a shared std::string resource during concurrent operations triggered by EVCCID updates (related to EV/ISO15118 protocol) and OCPP session or authorization events. This race condition can cause heap-use-after-free scenarios, potentially leading to application crashes or undefined behavior. The vulnerability affects all versions prior to 2026.02.0, which includes the vulnerable code paths where concurrent threads or processes access and modify shared string data without adequate locking or atomic operations. The issue does not expose sensitive data or allow code execution but can disrupt service availability by causing the charging software to crash or behave unpredictably. The CVSS v3.1 score is 4.2, reflecting a medium severity with network attack vector but high attack complexity and no privileges or user interaction required. No known exploits are currently in the wild. The vendor has released a patch in version 2026.02.0 that addresses the synchronization flaw by implementing proper concurrency controls to prevent simultaneous unsafe access to the shared resource.

The primary impact of this vulnerability is on the availability of EV charging services relying on the EVerest everest-core software. Exploitation can cause crashes or instability due to heap-use-after-free conditions, potentially leading to denial of service. This can disrupt EV charging operations, affecting end users and operators. While confidentiality and integrity are not directly impacted, service interruptions in critical EV infrastructure could have broader operational and reputational consequences. Organizations operating EV charging networks may experience downtime or degraded service quality, impacting customer satisfaction and operational efficiency. The medium CVSS score and high attack complexity reduce the likelihood of widespread exploitation, but the risk remains significant for targeted attacks or misconfigured environments. No known exploits in the wild currently reduce immediate risk but patching is essential to prevent future attacks.

Organizations should upgrade EVerest everest-core to version 2026.02.0 or later, which contains the patch fixing the race condition and heap-use-after-free vulnerability. Until upgrading, operators should minimize concurrent triggering of EVCCID updates and OCPP session/authorization events if possible, to reduce the chance of triggering the race condition. Implementing runtime monitoring and logging for application crashes or memory errors can help detect exploitation attempts. Conduct thorough testing of EV charging software under concurrent load to identify and mitigate synchronization issues. Network segmentation and strict access controls should be enforced to limit exposure of the EV charging software to untrusted networks or users, given the high attack complexity and network vector. Regularly review and apply vendor security advisories and patches promptly. Consider deploying application-level watchdogs or failover mechanisms to maintain service continuity in case of crashes.