EVerest Charging Software Data Race Vulnerability in EV SoC Management

A data race vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises from concurrent access to a `std::map<std::optional>` container, which can lead to corruption of the data. This vulnerability is triggered by simultaneous updates to the electric vehicle's state of charge (SoC) and periodic power meter readings, combined with the disconnection of the charging session. The affected component is the `OCPP::evse_soc_map`, which manages SoC data for electric vehicles.

Impact

Exploitation of this vulnerability can cause a data race, leading to a corruption of the `evse_soc_map` container. This corruption can disrupt the management of state of charge data, potentially causing incorrect information to be processed or transmitted during charging sessions.

Reproduction

The vulnerability can be reproduced by updating the EV state of charge while a power meter update is being processed, and then unplugging the vehicle, which triggers the session finished status. This sequence of events creates a race condition that can be detected using ThreadSanitizer, as it exposes the concurrent access issue that corrupts the `std::map<std::optional>` data structure.

Remediation

Users can upgrade to EVerest version 2026.02.0, which addresses this vulnerability by ensuring that access to the `evse_soc_map` is properly synchronized, preventing concurrent modifications that could lead to data corruption.