CVE-2026-33009

Summary

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging message and results in Charger::shared_context / internal_context accessed concurrently without lock. Version 2026.02.0 contains a patch.

Affected Software

VendorProductVersion RangeStatus
EVeresteverest-core< 2026.02.0affected

Weaknesses

  • CWE-362: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References