CVE-2026-26073 is a heap-based buffer overflow vulnerability classified under CWE-122 found in the everest-core component of the EVerest EV charging software stack. The vulnerability exists in versions prior to 2026.02.0 and is caused by a data race condition that leads to corruption of standard C++ container classes std::queue or std::deque. The race condition is triggered when the system processes powermeter public key updates concurrently with EV session or error events while the Open Charge Point Protocol (OCPP) is not active. This concurrency issue results in memory corruption, which is detected by runtime sanitizers such as TSAN, ASAN, and UBSAN, indicating misaligned addresses and undefined behavior. The heap overflow can cause application instability or crashes, impacting availability. The vulnerability does not require authentication or user interaction but has a high attack complexity, as the attacker must time events precisely to trigger the race. No known exploits have been reported in the wild to date. The vendor addressed the issue in version 2026.02.0 by patching the concurrency handling to eliminate the data race and prevent container corruption.

This vulnerability primarily threatens the availability of EV charging software systems running affected versions of everest-core. Exploitation can lead to application crashes or denial of service, disrupting EV charging operations. For organizations operating EV charging infrastructure, this can result in service outages, customer dissatisfaction, and potential revenue loss. While confidentiality and integrity impacts are not evident, the disruption of critical EV charging services can have cascading effects on transportation and energy sectors. Given the increasing reliance on EV infrastructure worldwide, widespread exploitation could affect large-scale charging networks, especially those that have not updated to the patched version. The medium CVSS score reflects the moderate risk due to the complexity of exploitation and lack of direct data compromise, but the operational impact remains significant.

Organizations should immediately upgrade everest-core to version 2026.02.0 or later to apply the official patch that resolves the data race condition. In addition, developers and operators should implement strict concurrency controls and thread synchronization mechanisms around shared data structures like std::queue and std::deque to prevent race conditions. Employing static and dynamic analysis tools such as TSAN, ASAN, and UBSAN during development and testing can help detect similar concurrency issues early. Network segmentation and limiting exposure of EV charging management interfaces can reduce the attack surface. Monitoring logs for unusual powermeter public key updates or EV session events occurring out of expected sequences may help detect attempted exploitation. Finally, maintaining an incident response plan tailored to EV infrastructure disruptions will improve resilience against potential denial of service attacks.