CVE-2026-23955 is a vulnerability classified under CWE-1046 (Creation of Immutable Text Using String Concatenation) affecting the everest-core component of the EVerest EV charging software stack. The root cause is the concatenation of integer values to literal strings in error handling code prior to version 2025.9.0. Instead of converting integers to their string representation, the code performs pointer arithmetic, leading to the interpretation of integer values as memory addresses. This flaw allows a malicious operator with high privileges to read unintended memory regions such as the heap and stack, potentially leaking sensitive data. Exploitation requires local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The scope remains unchanged (S:U). Although no known exploits are reported, the vulnerability poses a risk in environments where operators have elevated access to the charging software. The issue is resolved in version 2025.9.0 by correcting the string concatenation logic to properly convert integers to strings before concatenation, preventing pointer arithmetic and memory disclosure.

For European organizations operating EV charging infrastructure using affected versions of EVerest everest-core, this vulnerability could lead to unauthorized disclosure of sensitive memory contents. This may include cryptographic keys, authentication tokens, or other confidential operational data residing in heap or stack memory. Such information leakage could facilitate further attacks, including privilege escalation or unauthorized access to charging systems. Given the critical role of EV charging infrastructure in energy and transportation sectors, any compromise could disrupt services or erode trust. However, since exploitation requires high privileges and user interaction, the risk is somewhat mitigated but remains significant in insider threat scenarios or compromised operator accounts. The confidentiality breach could also have regulatory implications under GDPR if personal or operational data is exposed. Therefore, the impact on European organizations is primarily confidentiality loss with potential operational and compliance consequences.

European organizations should immediately upgrade all instances of EVerest everest-core to version 2025.9.0 or later to remediate this vulnerability. Until patching is complete, restrict operator access to the charging software to only trusted personnel and enforce strict privilege management to minimize the risk of malicious exploitation. Implement monitoring and logging of operator actions to detect anomalous behavior indicative of exploitation attempts. Conduct regular code reviews and security audits focusing on error handling and string operations to prevent similar issues. Additionally, apply memory protection mechanisms such as address space layout randomization (ASLR) and stack canaries to reduce the impact of memory disclosure vulnerabilities. Educate operators about the risks of interacting with suspicious error messages or prompts. Finally, ensure that incident response plans include procedures for handling potential memory disclosure incidents in EV infrastructure.