Cyber Resilience

CVE-2026-33009

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0025 15.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33009 is a high-severity Race Condition (CWE-362) vulnerability in Linuxfoundation Everest. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-33009 is a data race vulnerability in EVerest, an open-source EV charging software stack, affecting versions prior to 2026.02.0. The issue leads to C++ undefined behavior with potential memory corruption, triggered by an MQTT message published to the topic `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging`. This causes concurrent access to `Charger::shared_context` and `internal_context` without proper locking, classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).

An unauthenticated remote attacker with network access can exploit this vulnerability at low complexity with no user interaction or privileges required. Exploitation involves sending the specific MQTT message, potentially resulting in memory corruption that yields high availability impact (A:H) and low integrity impact (I:L), but no confidentiality impact (C:N), as reflected in the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

The GitHub security advisory (GHSA-33qh-fg6f-jjx5) at https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5 provides full details. Mitigation is available in EVerest version 2026.02.0, which includes a patch to resolve the concurrent access issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock.…

more

Version 2026.02.0 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploit of public-facing EV software via MQTT message triggers memory corruption (CWE-362) enabling application exploitation for high-availability DoS impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27816Same product: Linuxfoundation Everest
CVE-2026-26008Same product: Linuxfoundation Everest
CVE-2026-27815Same product: Linuxfoundation Everest
CVE-2025-68136Same product: Linuxfoundation Everest
CVE-2025-68137Same product: Linuxfoundation Everest
CVE-2025-68133Same product: Linuxfoundation Everest
CVE-2026-27828Same product: Linuxfoundation Everest
CVE-2025-68141Same product: Linuxfoundation Everest
CVE-2025-68134Same product: Linuxfoundation Everest
CVE-2026-23995Same product: Linuxfoundation Everest

Affected Assets

linuxfoundation
everest
≤ 2026.02.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring identification, reporting, and timely patching of the data race vulnerability fixed in EVerest version 2026.02.0.

prevent

Implements safeguards like address space layout randomization and data execution prevention to protect against memory corruption from the C++ undefined behavior triggered by concurrent access.

prevent

Prevents unauthorized and unintended information transfer or corruption via shared system resources such as Charger::shared_context and internal_context accessed without synchronization.

References