CVE-2026-34150
Received Received - Intake

Heap Buffer Overflow in Wazuh Analysis Engine

Vulnerability report for CVE-2026-34150, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 1.0.0 and above, prior to 4.14.5, a heap buffer overflow in wazuh-analysisd allows an unauthenticated remote attacker to crash the Wazuh manager's analysis engine, causing complete loss of SIEM alert processing. The attack exploits the default configuration shipped in the official wazuh/wazuh-docker deployment with default configuration. An attacker can enroll with authd without a password to obtain a valid agent ID and encryption key, connect to remoted over the Wazuh agent protocol, and inject rootcheck events containing Β {key: value}Β  patterns longer than 30 bytes that trigger a sprintfΒ overflow of a 30-byte buffer in W_JSON_ParseRootcheck, corrupting the heap and crashing wazuh-analysisd so that all alert processing silently stops while the dashboard and API keep showing stale data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh_analysisd From 1.0.0 (inc) to 4.14.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap buffer overflow in Wazuh's analysis engine (wazuh-analysisd) that allows an unauthenticated remote attacker to crash the manager's alert processing. The flaw occurs when parsing specially crafted rootcheck events with compliance references longer than 30 bytes, triggering a sprintf overflow in a fixed-size buffer. This corrupts the heap and crashes wazuh-analysisd, stopping all SIEM alert processing while the dashboard and API remain operational but show stale data.

Detection Guidance

Monitor wazuh-analysisd for crashes or unexpected termination. Check logs for heap corruption errors or segmentation faults in the analysis engine. Inspect network traffic for unauthorized agent enrollments without passwords or oversized rootcheck event payloads exceeding 30 bytes.

Impact Analysis

An attacker could exploit this to crash the Wazuh manager, causing complete loss of SIEM alert processing. This means security events would go unprocessed, potentially allowing threats to go undetected. The attack requires no authentication and can be executed remotely, making it highly dangerous for systems relying on Wazuh for threat detection.

Compliance Impact

This vulnerability could lead to non-compliance with regulations like GDPR or HIPAA, which require timely detection and response to security incidents. If alerts are not processed due to the crash, organizations may fail to meet incident reporting requirements, risking legal penalties and data breach liabilities.

Mitigation Strategies

Enable password authentication in the Wazuh manager configuration to prevent unauthenticated agent enrollment. Update to Wazuh version 4.14.5 or later where the sprintf overflow is fixed. Restrict network access to the Wazuh agent protocol ports to trusted sources only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34150. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart