EVerest Charging Software Data Race Vulnerability Leading to Heap Use-After-Free

A data race vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. This vulnerability allows concurrent access to a `std::string` object, potentially leading to a heap-use-after-free condition. The issue arises from simultaneous updates to the EVCCID (Electric Vehicle Communication Controller Identifier) and OCPP (Open Charge Point Protocol) session or authorization events. The vulnerable object is `OCPP201::evse_evcc_id`, a map that stores EVCCIDs associated with EVSE (Electric Vehicle Supply Equipment) IDs. The lack of proper synchronization allows the EVInfo callback, which writes to the map, to interfere with session event processing, which reads from it, causing undefined behavior and memory corruption.

Impact

Exploitation of this vulnerability results in a heap-use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering an OCPP session event or authorization event while an EVCCID update is being processed. This can be done by simulating the receipt of an EVCCID update through the OCPP protocol, which will cause the data race by concurrently writing to and reading from the `evse_evcc_id` map without proper synchronization.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability.