CVE-2026-26074 identifies a race condition vulnerability (CWE-362) in the everest-core component of the EVerest EV charging software stack. The issue exists in versions prior to 2026.02.0 and involves concurrent execution using a shared resource without proper synchronization. Specifically, the vulnerability arises from concurrent access to a std::map<std::queue> data structure named event_queue, which can become corrupted due to unsynchronized operations. The race condition is triggered when a network-based CSMS (Charging Station Management System) request such as GetLog or UpdateFirmware coincides with a physical EVSE (Electric Vehicle Supply Equipment) fault event. This concurrency leads to data races detected by ThreadSanitizer (TSAN), indicating unsafe simultaneous access. The vulnerability could cause data corruption, leading to potential denial of service or integrity issues within the EV charging process. The CVSS v3.1 score is 7.0, reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and low confidentiality and integrity impact but high availability impact. No known exploits are reported in the wild yet. The vendor has released version 2026.02.0 containing a patch that addresses the synchronization flaw.

The vulnerability could disrupt EV charging operations by corrupting internal data structures critical to event handling, potentially causing denial of service or malfunction of charging stations. This could lead to charging interruptions, degraded service reliability, and loss of trust in EV infrastructure. Organizations operating EV charging networks using affected versions risk operational downtime and may face challenges in maintaining service continuity. Although confidentiality and integrity impacts are rated low, the availability impact is high, which is critical for infrastructure services. The lack of required privileges or user interaction lowers the barrier for remote exploitation, increasing risk. Given the growing reliance on EV infrastructure globally, this vulnerability could have widespread operational and reputational consequences if exploited.

Organizations should immediately upgrade everest-core to version 2026.02.0 or later, which contains the official patch fixing the race condition. Until patching is possible, implement network-level controls to restrict or monitor CSMS GetLog and UpdateFirmware requests, especially from untrusted sources, to reduce the likelihood of triggering the race condition. Employ runtime monitoring tools capable of detecting data races or abnormal event_queue behavior. Conduct thorough testing of EVSE fault event handling under concurrent conditions to identify and mitigate synchronization issues. Engage with the vendor for any additional recommended configuration changes or hotfixes. Incorporate robust concurrency testing and static analysis in the development lifecycle to prevent similar issues. Finally, maintain incident response readiness to quickly address any service disruptions related to this vulnerability.