CVE-2026-33009
Published: 26 March 2026
Summary
CVE-2026-33009 is a high-severity Race Condition (CWE-362) vulnerability in Linuxfoundation Everest. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring identification, reporting, and timely patching of the data race vulnerability fixed in EVerest version 2026.02.0.
Implements safeguards like address space layout randomization and data execution prevention to protect against memory corruption from the C++ undefined behavior triggered by concurrent access.
Prevents unauthorized and unintended information transfer or corruption via shared system resources such as Charger::shared_context and internal_context accessed without synchronization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit of public-facing EV software via MQTT message triggers memory corruption (CWE-362) enabling application exploitation for high-availability DoS impact.
NVD Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in `Charger::shared_context` / `internal_context` accessed concurrently without lock.…
more
Version 2026.02.0 contains a patch.
Deeper analysisAI
CVE-2026-33009 is a data race vulnerability in EVerest, an open-source EV charging software stack, affecting versions prior to 2026.02.0. The issue leads to C++ undefined behavior with potential memory corruption, triggered by an MQTT message published to the topic `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging`. This causes concurrent access to `Charger::shared_context` and `internal_context` without proper locking, classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
An unauthenticated remote attacker with network access can exploit this vulnerability at low complexity with no user interaction or privileges required. Exploitation involves sending the specific MQTT message, potentially resulting in memory corruption that yields high availability impact (A:H) and low integrity impact (I:L), but no confidentiality impact (C:N), as reflected in the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
The GitHub security advisory (GHSA-33qh-fg6f-jjx5) at https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5 provides full details. Mitigation is available in EVerest version 2026.02.0, which includes a patch to resolve the concurrent access issue.
Details
- CWE(s)