EVerest Charging Software Data Race Vulnerability Leading to Event Queue Corruption
Vulnerability
A data race vulnerability has been identified in EVerest, an EV charging software stack, in versions prior to 2026.02.0. The issue arises from concurrent access to the 'event_queue' data structure, which is a 'std::map' of 'std::queue' elements, without proper synchronization. This unsynchronized access can lead to corruption of the queue's internal state, causing crashes or memory corruption. The vulnerability is triggered by a combination of a CSMS GetLog or UpdateFirmware request (network) and an EVSE fault event (physical).
Impact
Exploitation of this vulnerability can cause a data race condition, leading to potential corruption of the 'event_queue' data structure. Such corruption can disrupt normal operations, causing crashes or memory corruption within the application.
Reproduction
The vulnerability can be reproduced by sending a CSMS GetLog or UpdateFirmware request while simultaneously generating an EVSE fault event. This combination of network and physical inputs will trigger the data race condition, as observed in the application's ThreadSanitizer reports.
Remediation
Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.