CVE-2026-40106
Received Received - Intake

Heap-based Buffer Overflow in Wazuh Agent for Windows

Vulnerability report for CVE-2026-40106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards (* or ?), the agent allocates a fixed-size heap buffer of 256 bytes (OS_SIZE_256). By creating a registry subkey with a maximum allowed length (255 characters) inside a monitored path, a low-privileged local attacker can force an out-of-bounds write during string concatenation. Since wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, this can lead to a silent Denial of Service (blinding the agent) or potentially Local Privilege Escalation (LPE). This issue has been fixed in version 4.14.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wazuh wazuh_agent to 4.14.5 (exc)
wazuh wazuh_agent 4.14.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a heap-based buffer overflow in the Wazuh agent for Windows versions 4.6.0 to 4.14.4. When monitoring registry paths with wildcards, the agent uses a fixed 256-byte buffer. An attacker can create a 255-character registry subkey inside a monitored path, causing an out-of-bounds write during string operations. This leads to heap corruption.

Detection Guidance

Check the installed Wazuh agent version on Windows systems using 'wazuh-control -V' or 'wazuh-agent --version'. If the version is below 4.14.5, the system is vulnerable. Monitor for crashes in wazuh-agent.exe or heap corruption errors in Windows Event Viewer under Application logs.

Impact Analysis

The vulnerability can cause a Denial of Service by crashing the Wazuh agent, disrupting monitoring. Since the agent runs as SYSTEM, there is also a potential for Local Privilege Escalation if an attacker manipulates the heap carefully.

Compliance Impact

This vulnerability could impact compliance with standards like GDPR and HIPAA by potentially disrupting the availability of the Wazuh agent, which is critical for security monitoring. A Denial of Service (DoS) condition could lead to gaps in threat detection and response, violating requirements for continuous monitoring and incident response under these regulations.

Mitigation Strategies

Upgrade the Wazuh agent to version 4.14.5 or later immediately. Disable registry monitoring with wildcards if not required. Restrict local user permissions to prevent registry modifications. Monitor agent stability and investigate any crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart