CVE-2026-28221
Received Received - Intake
Stack-Based Buffer Overflow in Wazuh Remote Agent

Publication date: 2026-04-29

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For input bytes such as 0xFF, the formatting can emit "ffffffff" (8 chars) instead of "ff" (2 chars), causing an out-of-bounds write past a fixed 2049-byte stack buffer. The vulnerable path is reachable remotely prior to any agent authentication/registration logic via TCP/1514 when an oversized length prefix causes the β€œunexpected message (hex)” diagnostic path to run. Additionally, the same unauthenticated oversized-message diagnostic path logs an attacker-controlled hex dump to /var/ossec/logs/ossec.log for each trigger, allowing remote log amplification that can degrade monitoring fidelity and consume disk/I/O. This log amplification is reachable even without triggering the sign-extension overflow (e.g., using bytes < 0x80). This issue has been patched in version 4.14.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28221
EUVD
EUVD-2026-26270
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh From 4.8.0 (inc) to 4.14.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Wazuh versions from 4.8.0 up to but not including 4.14.4. It is a stack-based buffer overflow in the function print_hex_string() within wazuh-remoted. The issue occurs when formatting attacker-controlled bytes using sprintf on platforms where the char type is signed and sign-extension happens before the variadic call. For example, input bytes like 0xFF can be incorrectly formatted as "ffffffff" (8 characters) instead of "ff" (2 characters), causing an out-of-bounds write past a fixed 2049-byte stack buffer.

This vulnerable code path can be reached remotely before any agent authentication or registration via TCP port 1514 when an attacker sends an oversized length prefix that triggers an "unexpected message (hex)" diagnostic path. Additionally, this path logs attacker-controlled hex dumps to the log file /var/ossec/logs/ossec.log, which can be abused for remote log amplification, degrading monitoring fidelity and consuming disk and I/O resources.

The issue has been fixed in version 4.14.4.

Impact Analysis

This vulnerability can lead to a stack-based buffer overflow, which may allow an attacker to cause a denial of service or potentially execute arbitrary code on the affected system.

Additionally, the vulnerability allows remote attackers to send oversized messages that trigger excessive logging of attacker-controlled data, resulting in log amplification. This can degrade the effectiveness of monitoring systems and consume significant disk space and I/O resources.

Because the vulnerable path is reachable without authentication, attackers can exploit this remotely without needing valid credentials.

Detection Guidance

This vulnerability can be detected by monitoring network traffic on TCP port 1514 for oversized length prefix messages that trigger the β€œunexpected message (hex)” diagnostic path in wazuh-remoted. Additionally, examining the /var/ossec/logs/ossec.log file for repeated attacker-controlled hex dump entries can indicate exploitation attempts or log amplification activity.

Since the vulnerability is triggered remotely before agent authentication, network packet inspection tools can be used to detect suspicious oversized messages on TCP/1514.

Suggested commands to help detect this vulnerability include:

  • Use tcpdump or similar to capture suspicious packets on TCP port 1514: tcpdump -i <interface> tcp port 1514 and look for unusually large packets.
  • Search the Wazuh log file for repeated hex dump entries that may indicate log amplification: grep -i 'unexpected message (hex)' /var/ossec/logs/ossec.log
Mitigation Strategies

The immediate mitigation step is to upgrade Wazuh to version 4.14.4 or later, where this stack-based buffer overflow vulnerability has been patched.

Until the upgrade can be applied, consider restricting or blocking incoming traffic on TCP port 1514 from untrusted sources to prevent exploitation attempts.

Additionally, monitor the /var/ossec/logs/ossec.log file for signs of log amplification attacks and ensure sufficient disk space and I/O capacity to handle potential log flooding.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a stack-based buffer overflow in the print_hex_string() function of the wazuh-remoted component in Wazuh versions 4.8.0 up to 4.14.3. It occurs because on some platforms where the char type is signed, bytes with values like 0xFF are sign-extended when formatted using sprintf, causing the function to write more characters than expected into a fixed-size stack buffer. This results in an out-of-bounds write beyond the 2049-byte buffer.

The vulnerable code path can be triggered remotely without authentication by sending a specially crafted message with an oversized length prefix to TCP port 1514. This forces the daemon into a diagnostic path that processes the attacker-controlled bytes, leading to the overflow.

Additionally, the same unauthenticated path logs attacker-controlled hex dumps to a log file, enabling remote log amplification attacks that can degrade monitoring and consume disk or I/O resources.

The issue has been fixed in Wazuh version 4.14.4.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a stack-based buffer overflow, which may lead to integrity and availability issues in the affected system.

Although a reliable crash or control-flow hijack has not been demonstrated, the buffer overflow could potentially destabilize the application.

Moreover, the vulnerability enables remote log amplification attacks by logging attacker-controlled data repeatedly, which can degrade monitoring fidelity and exhaust disk space or I/O resources, effectively causing a denial-of-service condition.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or oversized messages sent to the Wazuh daemon on TCP port 1514, as the vulnerability is triggered by an oversized length prefix causing a diagnostic path to run.

Additionally, checking the Wazuh log file at /var/ossec/logs/ossec.log for repeated or abnormal hex dump entries can indicate attempts to exploit the vulnerability or log amplification attacks.

While no specific detection commands are provided, network monitoring tools can be used to capture and analyze traffic on TCP port 1514 for oversized or malformed packets.

  • Use tcpdump or Wireshark to capture traffic on port 1514: tcpdump -i <interface> port 1514
  • Search the Wazuh log for suspicious hex dump entries: grep -i 'hex' /var/ossec/logs/ossec.log
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Wazuh to version 4.14.4 or later, where the issue has been patched.

Until the upgrade can be applied, consider restricting or monitoring incoming traffic on TCP port 1514 to prevent unauthenticated remote exploitation.

Also, monitor disk and I/O usage related to Wazuh logs to detect and respond to potential log amplification attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart