CVE-2026-44251
Received Received - Intake

Integer Underflow in Wazuh Leading to Remote DoS

Vulnerability report for CVE-2026-44251, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a size_t integer underflow in os_crypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately disconnecting all agents from the manager. A second code path reached by the same underflow may allow heap memory corruption. This issue has been fixed in version 4.14.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wazuh wazuh From 3.0.0 (inc) to 4.14.5 (exc)
wazuh wazuh 4.14.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a size_t integer underflow in Wazuh versions 3.0.0 to 4.14.4. It occurs in the ReadSecMSG function at line 389 of msgs.c. When a crafted agent message with a decompressed size between 1 and 52 bytes bypasses checksum validation, it triggers an integer underflow that wraps to a large value like SIZE_MAX. This causes os_calloc to fail, crashing the wazuh-remoted process and disconnecting all agents. A second code path may allow heap memory corruption.

Detection Guidance

Detecting this vulnerability requires monitoring for crashes in the wazuh-remoted process or disconnections of all agents. Check logs for segmentation faults or unexpected terminations in wazuh-remoted. Use commands like 'journalctl -u wazuh-remoted -n 100 --no-pager' to review recent logs for errors. Monitor agent connectivity with 'systemctl status wazuh-manager' and check for sudden drops in connected agents.

Impact Analysis

This vulnerability allows any enrolled Wazuh agent to remotely crash the wazuh-remoted process on the manager, disconnecting all agents from the manager. It may also lead to potential heap memory corruption or remote code execution (RCE) as the Wazuh user, depending on system memory allocation behavior.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by enabling denial-of-service (DoS) attacks or remote code execution (RCE) on Wazuh managers. Such disruptions may lead to unauthorized access, data breaches, or service unavailability, violating confidentiality and integrity requirements under these regulations.

Mitigation Strategies

Upgrade Wazuh to version 4.14.5 or later immediately. If upgrading is not possible, apply the patch manually by adding a minimum-length guard in msgs.c to reject messages shorter than 53 bytes. Temporarily restrict network access to the Wazuh manager from untrusted sources until patched. Ensure no enrolled agents are compromised during the process.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart