CVE-2026-26072 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) affecting the everest-core component of the EVerest EV charging software stack. The issue stems from improper synchronization when multiple threads concurrently access and modify a std::map containing std::optional elements. Specifically, the race condition is triggered during overlapping events: an electric vehicle's state-of-charge (SoC) update, periodic powermeter data updates, and unplugging or session termination events. This concurrent access without adequate locking or atomic operations can corrupt the internal state of the std::map or the std::optional objects it contains, potentially leading to undefined behavior such as application crashes or data corruption. The vulnerability affects all versions prior to 2026.02.0, which includes the majority of deployed versions before the patch release. The CVSS v3.1 score is 4.2 (medium), reflecting the vulnerability's impact on availability only, with no confidentiality or integrity loss. Exploitation requires access to the EV charging system's network or local environment with a high degree of attack complexity, and no privileges or user interaction are needed. Although no exploits have been reported in the wild, the vulnerability poses a risk of denial-of-service conditions that could disrupt EV charging operations. The vendor addressed the issue in version 2026.02.0 by implementing proper synchronization mechanisms to prevent concurrent data races.

The primary impact of CVE-2026-26072 is on the availability of EV charging services using the EVerest everest-core software. Corruption of internal data structures due to the race condition can cause application crashes or unstable behavior, leading to denial of service. This disruption could affect EV users by preventing charging sessions from completing or starting, potentially causing operational delays and customer dissatisfaction. For organizations operating EV charging infrastructure, especially those managing large-scale deployments, this could translate into financial losses, reputational damage, and operational challenges. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact on critical infrastructure supporting electric vehicles is significant. Given the increasing reliance on EV charging networks globally, any disruption could have cascading effects on transportation and energy sectors. The medium CVSS score reflects the moderate risk, but the real-world impact depends on the deployment scale and the ability to apply patches promptly.

To mitigate CVE-2026-26072, organizations should immediately upgrade the EVerest everest-core software to version 2026.02.0 or later, where the race condition has been fixed. In addition to patching, operators should implement robust concurrency testing and code review practices to detect similar synchronization issues proactively. Employing runtime monitoring tools that detect data races or application crashes can help identify exploitation attempts or unstable behavior early. Network segmentation and strict access controls should be enforced to limit exposure of EV charging management interfaces to trusted personnel and systems only, reducing the attack surface. Where possible, implement redundancy and failover mechanisms in charging infrastructure to maintain service availability during software faults. Finally, coordinate with vendors and industry groups to stay informed about emerging vulnerabilities and best practices in EV charging software security.