CVE-2026-26204
Heap-based Out-of-Bounds Write in Wazuh
Publication date: 2026-04-29
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | From 1.0.0 (inc) to 4.14.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-124 | The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based out-of-bounds write in the GetAlertData function of the Wazuh agent. It occurs because of an unsigned integer underflow when processing alerts with an empty filename, causing a NULL byte to be written one byte before the start of a buffer allocated by strdup. This corrupts heap metadata.
An attacker can exploit this by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector, potentially causing denial of service or heap corruption.
The issue affects Wazuh versions from 1.0.0 up to but not including 4.14.4, where it has been patched.
Can you explain this vulnerability to me?
This vulnerability exists in Wazuh versions from 1.0.0 up to before 4.14.4. It is a heap-based out-of-bounds write that occurs in the GetAlertData function. Specifically, a NULL byte is written exactly one byte before the start of a buffer allocated by strdup due to an unsigned integer underflow and pointer arithmetic wrapping. This causes corruption of heap metadata.
An attacker who has compromised an agent can exploit this by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector, potentially causing denial of service or heap corruption.
This issue was fixed in version 4.14.4 of Wazuh.
How can this vulnerability impact me? :
The vulnerability can be leveraged by a malicious actor with access to a compromised agent to cause denial of service or heap corruption in the Wazuh system.
This could disrupt the normal operation of Wazuh's threat detection and response capabilities, potentially leading to system instability or crashes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Wazuh to version 4.14.4 or later, where the issue has been patched.
How can this vulnerability impact me? :
The primary impact of this vulnerability is on the availability of the Wazuh agent.
A malicious actor who exploits this issue by injecting a specially crafted alert can cause denial of service or heap corruption, which may disrupt the normal operation of the Wazuh agent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap-based out-of-bounds write triggered by specially crafted alerts injected into the alerts log file monitored by wazuh-logcollector.
Detection can focus on monitoring the alerts log file for suspicious or malformed alerts containing the string "Integrity checksum changed for: '" with an empty filename or unusual patterns that could trigger the underflow.
Since the issue occurs in the Wazuh agent processing alerts, checking the version of the Wazuh agent installed is important to identify vulnerable versions (1.0.0 up to before 4.14.4).
Suggested commands include:
- Check Wazuh agent version: `wazuh-agent -v` or check installed package version.
- Search alerts log for suspicious entries: `grep "Integrity checksum changed for: '" /var/ossec/logs/alerts/alerts.log`
- Monitor for crashes or unusual behavior in wazuh-logcollector or agent logs indicating heap corruption.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Wazuh agent and manager components to version 4.14.4 or later, where this heap-based null write buffer underflow vulnerability has been patched.
Until the upgrade can be performed, consider monitoring and filtering alerts to prevent injection of specially crafted alerts that could trigger the vulnerability.
Additionally, review and restrict access to the alerts log file and the wazuh-logcollector process to trusted sources only, minimizing the risk of malicious alert injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily impacts the availability of the Wazuh agent by potentially causing denial of service or heap corruption through a heap-based out-of-bounds write. There is no information provided indicating that this vulnerability affects confidentiality or integrity of data.
Since the vulnerability does not directly involve unauthorized access to or disclosure of personal or sensitive data, it does not explicitly affect compliance with data protection regulations such as GDPR or HIPAA based on the provided information.
However, any denial of service or disruption in security monitoring capabilities could indirectly impact an organization's ability to maintain continuous security controls required by such standards.