Home / Vulnerability Intelligence / CVE-2026-33009

CVE-2026-33009 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 26, 2026

EVerest - Race Condition

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

EVerest EV charging software stack < 2026.02.0 contains a race condition caused by concurrent access to Charger::shared_context and internal_context without locks triggered by MQTT messages, letting attackers cause memory corruption, exploit requires sending crafted MQTT messages.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Attackers can cause memory corruption leading to undefined behavior or crashes, potentially disrupting charging operations.

Mitigation

Update to version 2026.02.0 or later.

References

https://github.com/EVerest/EVerest/security/advisories/GHSA-33qh-fg6f-jjx5

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33009 - High (8.2) EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` mess... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33009/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33009
Severity: High
CVSS Score: 8.2
Type: race_condition
Status: new
EPSS: 3.6%
Social Posts: 1

CWE

CWE-362

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score

3.6%Probability of exploitation in the next 30 days