CVE-2026-25790
Received Received - Intake
Stack-Based Buffer Overflow in Wazuh SCA Decoder Enables RCE

Publication date: 2026-03-17

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, "%lf", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25790
EUVD
EUVD-2026-12623
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh From 3.9.0 (inc) to 4.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25790 is a stack-based buffer overflow vulnerability in the Wazuh manager's Security Configuration Assessment (SCA) JSON parser component. It affects versions from 3.9.0 up to but not including 4.14.3."}, {'type': 'paragraph', 'content': 'The issue arises because the code uses the unsafe function sprintf with the %lf format specifier to convert floating-point numbers to strings inside a fixed-size 128-byte buffer on the stack. When a specially crafted JSON event contains a floating-point number with a very large exponent (for example, 1.0e150), sprintf attempts to write a string representation that exceeds the buffer size, causing a stack buffer overflow.'}, {'type': 'paragraph', 'content': 'This overflow can corrupt the stack, potentially leading to a denial of service (crash) or even remote code execution (RCE) on the Wazuh manager.'}, {'type': 'paragraph', 'content': 'The vulnerable code is located in the functions FillScanInfo and FillCheckEventInfo within the source file security_configuration_assessment.c, where multiple JSON fields are processed unsafely.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to send specially crafted JSON events to the Wazuh manager that trigger a stack buffer overflow.

The immediate impact includes denial of service, causing the Wazuh manager to crash and become unavailable.

More severely, the overflow could be exploited to achieve remote code execution (RCE), allowing an attacker to execute arbitrary code on the Wazuh manager with the privileges of the affected process.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring the Wazuh manager (wazuh-analysisd) for crashes or abnormal behavior triggered by specially crafted JSON events containing floating-point numbers with very large exponents (e.g., 1.0e150).

A proof-of-concept test involves compiling a minimal program with AddressSanitizer (ASan) to detect stack-buffer-overflow when processing such inputs.

To detect exploitation attempts or the presence of the vulnerability on your system, you can:

  • Monitor wazuh-analysisd logs for crashes or errors related to JSON parsing.
  • Use AddressSanitizer (ASan) to run a test harness that inputs JSON events with floating-point numbers like 1.0e150 to detect buffer overflows.
  • Check for unusually large floating-point values in JSON events processed by wazuh-analysisd.

Example command to compile a test program with ASan (assuming you have a test harness source):

  • gcc -fsanitize=address -g test_harness.c -o test_harness

Then run the test harness with input containing a large floating-point number (e.g., 1.0e150) to check for buffer overflow detection.

Mitigation Strategies

The immediate mitigation step is to upgrade the Wazuh manager to version 4.14.3 or later, where the vulnerability has been patched.

The patch replaces unsafe `sprintf` calls with bounded `snprintf` calls to prevent stack buffer overflow.

Until the upgrade can be applied, consider monitoring and filtering JSON events with suspiciously large floating-point numbers to reduce the risk of exploitation.

Additionally, ensure that the Wazuh manager runs with the least privileges necessary, as the vulnerability requires high privileges to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart