Description
EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.
Published: 2026-01-21
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

EVerest is an electric vehicle charging software stack. In releases before 2025.9.0, the code concatenates literal strings with integer values when throwing errors. This incorrect concatenation causes pointer arithmetic instead of printing the integer, enabling a malicious operator to read unintended memory regions such as the stack or heap. This can expose sensitive data or facilitate further exploitation.

Affected Systems

The vulnerability affects EVerest everest-core on the Linux Foundation EV charging platform, specifically all versions released prior to 2025.9.0. Upgrading to 2025.9.0 or later eliminates the affected code path.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to be an operator or otherwise able to trigger error conditions that exercise the vulnerable string concatenation; once achieved, they can read arbitrary memory. While the impact does not provide direct remote code execution, the information disclosure risk could aid lateral movement or credential compromise if privileged data is leaked.

Generated by OpenCVE AI on April 18, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EVerest everest-core to version 2025.9.0 or later
  • Restrict operator privileges so only authorized personnel can trigger error paths
  • Enable and monitor detailed error logs to detect unexpected memory read attempts and investigate promptly

Generated by OpenCVE AI on April 18, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Wed, 21 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.
Title EVerest vulnerable to concatenation of strings literal and integers
Weaknesses CWE-1046
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T19:53:57.098Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23955

cve-icon Vulnrichment

Updated: 2026-01-21T19:53:51.057Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T20:16:12.517

Modified: 2026-02-06T21:21:59.107

Link: CVE-2026-23955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses