Executive Summary

CVE-2026-25772 is a stack-based buffer overflow vulnerability in the Wazuh Database synchronization module, specifically in the SQL query construction logic within a fixed-size stack buffer of 2048 bytes.

The issue arises because the code incorrectly handles the return value of the function snprintf, which returns the number of characters that would have been written if the buffer were large enough, not the actual number written.

When a database synchronization payload exceeds the buffer size, an integer underflow occurs during the calculation of the remaining buffer size. This causes the size calculation to wrap around to a very large positive integer, effectively removing bounds checking for subsequent writes.

As a result, the next snprintf call writes beyond the buffer bounds, causing stack corruption that can lead to Denial of Service (DoS) or potentially Remote Code Execution (RCE).

The vulnerability affects Wazuh Manager versions from 4.4.0 up to but not including 4.14.3, where it has been fixed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to corrupt the stack by overflowing a buffer during database synchronization.

The impact includes causing a Denial of Service (DoS), which would disrupt the normal operation of the Wazuh platform.

More severely, it may allow an attacker to achieve Remote Code Execution (RCE), potentially gaining control over the affected system.

The attack can be performed remotely over the network, but requires high privileges on the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for stack-based buffer overflow behavior in the Wazuh Database synchronization module, specifically in the source file `wdb_delta_event.c` affecting functions `wdb_upsert_dbsync` and `wdb_delete_dbsync`.

A proof-of-concept (PoC) triggers the vulnerability by causing multiple `snprintf` calls to overflow a fixed-size buffer, which can be detected by tools like AddressSanitizer (ASan) that report stack-buffer-overflow errors.

To detect exploitation attempts or the vulnerability on your system, you can:

• Use AddressSanitizer or similar memory error detection tools when running or testing Wazuh Manager binaries to catch stack-buffer-overflow errors.
• Monitor logs for crashes or Denial of Service (DoS) events related to Wazuh Database synchronization.
• Check the version of Wazuh Manager installed; versions from 4.4.0 up to but not including 4.14.3 are vulnerable.

There are no specific network commands provided in the resources to detect this vulnerability directly, but monitoring for abnormal crashes or using debugging tools on the Wazuh Manager process is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Wazuh Manager to version 4.14.3 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, mitigation involves ensuring that the code handling SQL query construction in the Wazuh Database synchronization module properly checks the return value of `snprintf` against the remaining buffer size before updating the accumulator.

Specifically, the loop that constructs the SQL query should abort if truncation is detected (i.e., if the return value of `snprintf` is greater than or equal to the remaining buffer size) to prevent buffer overflow.

Additionally, monitoring for abnormal crashes or Denial of Service (DoS) conditions related to Wazuh Database synchronization can help detect exploitation attempts.

Useful 0 Not Useful 0