CVE-2026-23955

low-risk

Published 2026-01-21

EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.2/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Everest

Affected Vendors

Linuxfoundation

References (1)

Vendor Advisory https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal