CVE-2026-23955
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description
EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23955
EUVD
EUVD-2026-3780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation everest to 2025.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1046 The product creates an immutable text string using string concatenation operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23955 is a vulnerability in the EVerest EV charging software stack where integer values are improperly concatenated to string literals in error messages. Instead of converting integers to strings, the code performs pointer arithmetic, causing the program to interpret the integer as an offset to the string literal's memory address. This flaw allows a malicious operator with high privileges to read unintended memory regions, including sensitive areas like the heap, stack, and stack canary, potentially exposing confidential information. The issue affects versions prior to 2025.9.0 of EVerest and prior to 0.30.1 of libocpp and has been fixed in these versions. [1]

Impact Analysis

This vulnerability can allow a malicious operator with high privileges and user interaction to read sensitive memory contents that should not be accessible, such as heap, stack, and stack canary data. On 64-bit systems, it can leak other string literals or even entire memory contents depending on the integer size and architecture. This can lead to information disclosure, exposing confidential data and potentially aiding further attacks. [1]

Detection Guidance

This vulnerability is related to improper integer to string concatenation in error-throwing code within the EVerest software stack and libocpp library, which leads to unintended memory reads. Detection involves verifying the software version in use. You can check the installed versions of EVerest and libocpp to see if they are prior to the fixed versions (EVerest before 2025.9.0 and libocpp before 0.30.1). For example, use commands like `everest --version` or check package versions via your package manager. Additionally, reviewing logs for unusual error messages or memory leaks might help, but no specific detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade EVerest to version 2025.9.0 or later and libocpp to version 0.30.1 or later, where the vulnerability has been fixed. Avoid running vulnerable versions, especially with high privileges, and restrict access to trusted operators only until the update is applied. [1]

Compliance Impact

The vulnerability allows a malicious operator with high privileges to read unintended memory regions, including sensitive data such as heap, stack, and stack canary. This potential exposure of confidential information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. However, specific compliance impacts are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart