CVE-2025-68138

MEDIUM

libocpp < 0.30.1 - Memory Leak via Unfreed strdup Pointers

Title source: llm

Description

EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55

Product x_refsource_misc

https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp

View Writeup ZIP pw:eip

Scores

CVSS v3 4.7

EPSS 0.0006

EPSS Percentile 17.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

linuxfoundation/libocpp < 0.30.1

Published Jan 21, 2026

Tracked Since Feb 18, 2026