Platform
other
Component
everest
Fixed in
2026.02.0
CVE-2026-33009 describes a data race vulnerability discovered in everest-core, an EV charging software stack. This flaw can lead to undefined behavior (UB) and potential memory corruption, impacting the stability and security of charging operations. Versions prior to 2026.02.0 are affected, and a patch is available in version 2026.02.0.
The data race occurs when the everestexternal/nodered/{connector}/cmd/switchthreephaseswhilecharging MQTT message is processed concurrently without proper locking mechanisms. This allows for simultaneous access to Charger::sharedcontext and internal_context, leading to unpredictable program behavior. Successful exploitation could result in denial of service (DoS) by crashing the charging software, or potentially allow for arbitrary code execution if memory corruption leads to control flow hijacking. The potential for memory corruption makes this a serious security concern, as it could allow attackers to manipulate charging parameters or gain unauthorized access to the system.
This vulnerability is publicly disclosed and documented in CVE-2026-33009. No known active exploitation campaigns have been reported as of the publication date (2026-03-26). The vulnerability's impact is potentially high due to the possibility of memory corruption, but the complexity of triggering the data race may limit its immediate exploitability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33009 is to upgrade to version 2026.02.0 or later, which includes a patch addressing the data race condition. If immediate upgrading is not possible, consider implementing stricter MQTT message validation and rate limiting to reduce the likelihood of concurrent message processing. Monitoring the system for unusual memory access patterns or crashes can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending the triggering MQTT message and verifying that no errors or crashes occur.
Update EVerest to version 2026.02.0 or later. This version contains the fix for the data race that causes charger state corruption.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33009 is a HIGH severity data race vulnerability in everest-core versions before 2026.02.0. It allows for potential memory corruption when processing MQTT messages, potentially leading to system instability.
You are affected if you are using everest-core versions prior to 2026.02.0. Check your version and upgrade immediately if vulnerable.
Upgrade to version 2026.02.0 or later, which contains the patch for this vulnerability. If immediate upgrade is not possible, implement MQTT message validation and rate limiting.
No active exploitation campaigns have been reported as of the publication date, but the potential for memory corruption warrants immediate attention and mitigation.
Refer to the official everest-core documentation and release notes for details on the vulnerability and the available patch. Check the project's website for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.