CVE-2026-23955
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-23955, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-21

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description

EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-21
Last Modified
2026-02-06
Generated
2026-07-06
AI Q&A
2026-01-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation everest to 2025.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1046 The product creates an immutable text string using string concatenation operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23955 is a vulnerability in the EVerest EV charging software stack where integer values are improperly concatenated to string literals in error messages. Instead of converting integers to strings, the code performs pointer arithmetic, causing the program to interpret the integer as an offset to the string literal's memory address. This flaw allows a malicious operator with high privileges to read unintended memory regions, including sensitive areas like the heap, stack, and stack canary, potentially exposing confidential information. The issue affects versions prior to 2025.9.0 of EVerest and prior to 0.30.1 of libocpp and has been fixed in these versions. [1]

Impact Analysis

This vulnerability can allow a malicious operator with high privileges and user interaction to read sensitive memory contents that should not be accessible, such as heap, stack, and stack canary data. On 64-bit systems, it can leak other string literals or even entire memory contents depending on the integer size and architecture. This can lead to information disclosure, exposing confidential data and potentially aiding further attacks. [1]

Detection Guidance

This vulnerability is related to improper integer to string concatenation in error-throwing code within the EVerest software stack and libocpp library, which leads to unintended memory reads. Detection involves verifying the software version in use. You can check the installed versions of EVerest and libocpp to see if they are prior to the fixed versions (EVerest before 2025.9.0 and libocpp before 0.30.1). For example, use commands like `everest --version` or check package versions via your package manager. Additionally, reviewing logs for unusual error messages or memory leaks might help, but no specific detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade EVerest to version 2025.9.0 or later and libocpp to version 0.30.1 or later, where the vulnerability has been fixed. Avoid running vulnerable versions, especially with high privileges, and restrict access to trusted operators only until the update is applied. [1]

Compliance Impact

The vulnerability allows a malicious operator with high privileges to read unintended memory regions, including sensitive data such as heap, stack, and stack canary. This potential exposure of confidential information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. However, specific compliance impacts are not detailed in the provided resources. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart