CVE-2026-23955
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-02-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2025.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1046 | The product creates an immutable text string using string concatenation operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23955 is a vulnerability in the EVerest EV charging software stack where integer values are improperly concatenated to string literals in error messages. Instead of converting integers to strings, the code performs pointer arithmetic, causing the program to interpret the integer as an offset to the string literal's memory address. This flaw allows a malicious operator with high privileges to read unintended memory regions, including sensitive areas like the heap, stack, and stack canary, potentially exposing confidential information. The issue affects versions prior to 2025.9.0 of EVerest and prior to 0.30.1 of libocpp and has been fixed in these versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow a malicious operator with high privileges and user interaction to read sensitive memory contents that should not be accessible, such as heap, stack, and stack canary data. On 64-bit systems, it can leak other string literals or even entire memory contents depending on the integer size and architecture. This can lead to information disclosure, exposing confidential data and potentially aiding further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to improper integer to string concatenation in error-throwing code within the EVerest software stack and libocpp library, which leads to unintended memory reads. Detection involves verifying the software version in use. You can check the installed versions of EVerest and libocpp to see if they are prior to the fixed versions (EVerest before 2025.9.0 and libocpp before 0.30.1). For example, use commands like `everest --version` or check package versions via your package manager. Additionally, reviewing logs for unusual error messages or memory leaks might help, but no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade EVerest to version 2025.9.0 or later and libocpp to version 0.30.1 or later, where the vulnerability has been fixed. Avoid running vulnerable versions, especially with high privileges, and restrict access to trusted operators only until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a malicious operator with high privileges to read unintended memory regions, including sensitive data such as heap, stack, and stack canary. This potential exposure of confidential information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. However, specific compliance impacts are not detailed in the provided resources. [1]