EVerest EV Charging Software Data Race Vulnerability in OCPP 2.0.1 Handling

A data race vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises from concurrent access to a `std::map<std::optional>` container, which can lead to corruption of the container or its optional values. This vulnerability is triggered by an Electric Vehicle State of Charge (SoC) update, combined with a periodic powermeter update, and the unplugging of the vehicle, which signals the end of a charging session. The affected component is the `OCPP201::evse_soc_map`, which manages SoC data for electric vehicles.

Impact

Exploitation of this vulnerability causes a data race, leading to a reported concurrency issue where the state of the `evse_soc_map` can become corrupted or throw exceptions due to improper handling of optional values.

Reproduction

The vulnerability can be reproduced by initiating an EV SoC update while a powermeter periodic update is also in progress, and then unplugging the vehicle, which triggers the SessionFinished state. This sequence creates a race condition as the powermeter callback (which reads SoC values) and the EVInfo callback (which writes SoC values) can interfere with each other, especially when the SessionFinished event resets the SoC data, all occurring simultaneously from different threads.

Remediation

Users should update to EVerest version 2026.02.0, which includes a patch for this vulnerability.