CVE-2026-26204
Received Received - Intake
Heap-based Out-of-Bounds Write in Wazuh

Publication date: 2026-04-29

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26204
EUVD
EUVD-2026-26259
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh From 1.0.0 (inc) to 4.14.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-124 The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Wazuh versions from 1.0.0 up to before 4.14.4. It is a heap-based out-of-bounds write that occurs in the GetAlertData function. Specifically, a NULL byte is written exactly one byte before the start of a buffer allocated by strdup due to an unsigned integer underflow and pointer arithmetic wrapping. This causes corruption of heap metadata.

An attacker who has compromised an agent can exploit this by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector, potentially causing denial of service or heap corruption.

This issue was fixed in version 4.14.4 of Wazuh.

Impact Analysis

The vulnerability can be leveraged by a malicious actor with access to a compromised agent to cause denial of service or heap corruption in the Wazuh system.

This could disrupt the normal operation of Wazuh's threat detection and response capabilities, potentially leading to system instability or crashes.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Wazuh to version 4.14.4 or later, where the issue has been patched.

Compliance Impact

This vulnerability primarily impacts the availability of the Wazuh agent by potentially causing denial of service or heap corruption through a heap-based out-of-bounds write. There is no information provided indicating that this vulnerability affects confidentiality or integrity of data.

Since the vulnerability does not directly involve unauthorized access to or disclosure of personal or sensitive data, it does not explicitly affect compliance with data protection regulations such as GDPR or HIPAA based on the provided information.

However, any denial of service or disruption in security monitoring capabilities could indirectly impact an organization's ability to maintain continuous security controls required by such standards.

Executive Summary

This vulnerability is a heap-based out-of-bounds write in the GetAlertData function of the Wazuh agent. It occurs because of an unsigned integer underflow when processing alerts with an empty filename, causing a NULL byte to be written one byte before the start of a buffer allocated by strdup. This corrupts heap metadata.

An attacker can exploit this by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector, potentially causing denial of service or heap corruption.

The issue affects Wazuh versions from 1.0.0 up to but not including 4.14.4, where it has been patched.

Impact Analysis

The primary impact of this vulnerability is on the availability of the Wazuh agent.

A malicious actor who exploits this issue by injecting a specially crafted alert can cause denial of service or heap corruption, which may disrupt the normal operation of the Wazuh agent.

Detection Guidance

This vulnerability involves a heap-based out-of-bounds write triggered by specially crafted alerts injected into the alerts log file monitored by wazuh-logcollector.

Detection can focus on monitoring the alerts log file for suspicious or malformed alerts containing the string "Integrity checksum changed for: '" with an empty filename or unusual patterns that could trigger the underflow.

Since the issue occurs in the Wazuh agent processing alerts, checking the version of the Wazuh agent installed is important to identify vulnerable versions (1.0.0 up to before 4.14.4).

Suggested commands include:

  • Check Wazuh agent version: `wazuh-agent -v` or check installed package version.
  • Search alerts log for suspicious entries: `grep "Integrity checksum changed for: '" /var/ossec/logs/alerts/alerts.log`
  • Monitor for crashes or unusual behavior in wazuh-logcollector or agent logs indicating heap corruption.
Mitigation Strategies

The primary mitigation step is to upgrade the Wazuh agent and manager components to version 4.14.4 or later, where this heap-based null write buffer underflow vulnerability has been patched.

Until the upgrade can be performed, consider monitoring and filtering alerts to prevent injection of specially crafted alerts that could trigger the vulnerability.

Additionally, review and restrict access to the alerts log file and the wazuh-logcollector process to trusted sources only, minimizing the risk of malicious alert injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart