EVerest OCPP Event Queue Data Race Vulnerability Leading to Heap Corruption

A data race vulnerability has been identified in the EVerest EV charging software stack, specifically in versions prior to 2026.02.0. The issue arises from concurrent, lock-free insertions into the 'event_queue', which is based on 'std::queue' and not thread-safe. This vulnerability is triggered by a powermeter public key update combined with EV session or error events, while the OCPP protocol is not yet started. The data race can lead to corruption of the queue, causing heap corruption and potential use-after-free conditions. The vulnerability has been patched in version 2026.02.0.

Impact

Exploitation of this vulnerability causes a data race that can corrupt the event queue, leading to heap corruption and potentially allowing for use-after-free conditions.

Reproduction

The vulnerability can be reproduced by updating the powermeter public key while OCPP is not started, and simultaneously generating EV session or error events. This can be done by subscribing to the relevant event callbacks in a test environment, which will trigger the unlocked insertion into the event queue, causing a data race and resulting in a runtime error due to misaligned memory access.

Remediation

Users can upgrade to EVerest version 2026.02.0 or later to address this vulnerability.