CVE-2026-28221
Stack-Based Buffer Overflow in Wazuh Remote Agent
Publication date: 2026-04-29
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | From 4.8.0 (inc) to 4.14.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in the print_hex_string() function of the wazuh-remoted component in Wazuh versions 4.8.0 up to 4.14.3. It occurs because on some platforms where the char type is signed, bytes with values like 0xFF are sign-extended when formatted using sprintf, causing the function to write more characters than expected into a fixed-size stack buffer. This results in an out-of-bounds write beyond the 2049-byte buffer.
The vulnerable code path can be triggered remotely without authentication by sending a specially crafted message with an oversized length prefix to TCP port 1514. This forces the daemon into a diagnostic path that processes the attacker-controlled bytes, leading to the overflow.
Additionally, the same unauthenticated path logs attacker-controlled hex dumps to a log file, enabling remote log amplification attacks that can degrade monitoring and consume disk or I/O resources.
The issue has been fixed in Wazuh version 4.14.4.
Can you explain this vulnerability to me?
This vulnerability exists in Wazuh versions from 4.8.0 up to but not including 4.14.4. It is a stack-based buffer overflow in the function print_hex_string() within wazuh-remoted. The issue occurs when formatting attacker-controlled bytes using sprintf on platforms where the char type is signed and sign-extension happens before the variadic call. For example, input bytes like 0xFF can be incorrectly formatted as "ffffffff" (8 characters) instead of "ff" (2 characters), causing an out-of-bounds write past a fixed 2049-byte stack buffer.
This vulnerable code path can be reached remotely before any agent authentication or registration via TCP port 1514 when an attacker sends an oversized length prefix that triggers an "unexpected message (hex)" diagnostic path. Additionally, this path logs attacker-controlled hex dumps to the log file /var/ossec/logs/ossec.log, which can be abused for remote log amplification, degrading monitoring fidelity and consuming disk and I/O resources.
The issue has been fixed in version 4.14.4.
How can this vulnerability impact me? :
This vulnerability can lead to a stack-based buffer overflow, which may allow an attacker to cause a denial of service or potentially execute arbitrary code on the affected system.
Additionally, the vulnerability allows remote attackers to send oversized messages that trigger excessive logging of attacker-controlled data, resulting in log amplification. This can degrade the effectiveness of monitoring systems and consume significant disk space and I/O resources.
Because the vulnerable path is reachable without authentication, attackers can exploit this remotely without needing valid credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic on TCP port 1514 for oversized length prefix messages that trigger the βunexpected message (hex)β diagnostic path in wazuh-remoted. Additionally, examining the /var/ossec/logs/ossec.log file for repeated attacker-controlled hex dump entries can indicate exploitation attempts or log amplification activity.
Since the vulnerability is triggered remotely before agent authentication, network packet inspection tools can be used to detect suspicious oversized messages on TCP/1514.
Suggested commands to help detect this vulnerability include:
- Use tcpdump or similar to capture suspicious packets on TCP port 1514: tcpdump -i <interface> tcp port 1514 and look for unusually large packets.
- Search the Wazuh log file for repeated hex dump entries that may indicate log amplification: grep -i 'unexpected message (hex)' /var/ossec/logs/ossec.log
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wazuh to version 4.14.4 or later, where this stack-based buffer overflow vulnerability has been patched.
Until the upgrade can be applied, consider restricting or blocking incoming traffic on TCP port 1514 from untrusted sources to prevent exploitation attempts.
Additionally, monitor the /var/ossec/logs/ossec.log file for signs of log amplification attacks and ensure sufficient disk space and I/O capacity to handle potential log flooding.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to cause a stack-based buffer overflow, which may lead to integrity and availability issues in the affected system.
Although a reliable crash or control-flow hijack has not been demonstrated, the buffer overflow could potentially destabilize the application.
Moreover, the vulnerability enables remote log amplification attacks by logging attacker-controlled data repeatedly, which can degrade monitoring fidelity and exhaust disk space or I/O resources, effectively causing a denial-of-service condition.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or oversized messages sent to the Wazuh daemon on TCP port 1514, as the vulnerability is triggered by an oversized length prefix causing a diagnostic path to run.
Additionally, checking the Wazuh log file at /var/ossec/logs/ossec.log for repeated or abnormal hex dump entries can indicate attempts to exploit the vulnerability or log amplification attacks.
While no specific detection commands are provided, network monitoring tools can be used to capture and analyze traffic on TCP port 1514 for oversized or malformed packets.
- Use tcpdump or Wireshark to capture traffic on port 1514: tcpdump -i <interface> port 1514
- Search the Wazuh log for suspicious hex dump entries: grep -i 'hex' /var/ossec/logs/ossec.log
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Wazuh to version 4.14.4 or later, where the issue has been patched.
Until the upgrade can be applied, consider restricting or monitoring incoming traffic on TCP port 1514 to prevent unauthenticated remote exploitation.
Also, monitor disk and I/O usage related to Wazuh logs to detect and respond to potential log amplification attacks.