CVE-2026-26073 | EVerest everest-core 2025.9.0/2025.10.0/2025.12.0 std::queue/std::queue heap-based overflow (GHSA-jf36-f4f9-7qc2)

VDB-353674 · CVE-2026-26073 · GHSA-JF36-F4F9-7QC2 EVEREST EVEREST-CORE 2025.9.0/2025.10.0/2025.12.0 STD::QUEUE/STD::QUEUE HEAP-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.8 $0-$5k 1.63+ Summaryinfo A vulnerability was found in EVerest everest-core. It has been declared as critical. This affects the function std::queue/std::queue. Executing a manipulation can lead to heap-based overflow. The identification of this vulnerability is CVE-2026-26073. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component. Detailsinfo A vulnerability classified as critical was found in EVerest everest-core. This vulnerability affects the function std::queue/std::queue. The manipulation with an unknown input leads to a heap-based overflow vulnerability. The CWE definition for the vulnerability is CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). As an impact it is known to affect availability. CVE summarizes: EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN misaligned address runtime error being observed. Version 2026.02.0 contains a patch. The advisory is available at github.com. This vulnerability was named CVE-2026-26073 since 02/10/2026. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. Upgrading to version 2026.02.0 eliminates this vulnerability. Productinfo Vendor EVerest Name everest-core Version 2025.9.0 2025.10.0 2025.12.0 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.9 VulDB Meta Temp Score: 5.8 VulDB Base Score: 5.9 VulDB Temp Score: 5.7 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 5.9 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Heap-based overflow CWE: CWE-122 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: everest-core 2026.02.0 Timelineinfo 02/10/2026 CVE reserved 03/26/2026 +44 days Advisory disclosed 03/26/2026 +0 days VulDB entry created 03/26/2026 +0 days VulDB entry last update Sourcesinfo Advisory: GHSA-jf36-f4f9-7qc2 Status: Confirmed CVE: CVE-2026-26073 (🔒) GCVE (CVE): GCVE-0-2026-26073 GCVE (VulDB): GCVE-100-353674 Entryinfo Created: 03/26/2026 19:00 Changes: 03/26/2026 19:00 (65) Complete: 🔍 Cache ID: 99:085:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸