CVE-2026-54000
Received Received - Intake

Heap Buffer Overflow in osquery on Windows

Vulnerability report for CVE-2026-54000, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
osquery osquery to 5.23.1 (exc)
osquery osquery to 5.23.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54000 is a heap buffer overflow vulnerability in the Windows processes table of osquery, a SQL-powered operating system instrumentation and monitoring framework.

The issue arises because osquery allocates a fixed-size buffer (8192 bytes) to read process command-line and current-directory strings from the Process Environment Block (PEB) of a target process. However, the length fields in the PEB can be manipulated by a local unprivileged attacker to exceed this buffer size, causing an out-of-bounds write of up to approximately 57KB.

This vulnerability allows a local attacker to escalate privileges from a standard user to SYSTEM by exploiting the unchecked buffer size when querying the processes table.

The issue is fixed in osquery version 5.23.1 by clamping the read length to the buffer size before reading memory and ensuring proper buffer termination.

Impact Analysis

If exploited successfully, this vulnerability can allow a local unprivileged attacker to perform a heap buffer overflow, leading to local privilege escalation.

Specifically, an attacker with standard user access on a Windows system running a vulnerable version of osquery could gain SYSTEM-level privileges, which have full control over the system.

This elevated access could enable the attacker to execute arbitrary code, modify system configurations, access sensitive data, or disrupt system operations.

Detection Guidance

This vulnerability is triggered by querying the processes table in osquery on Windows systems, specifically targeting maliciously crafted processes that exploit unchecked PEB string lengths.

To detect potential exploitation attempts, you can monitor or audit queries to the osquery processes table, especially those that request command-line or current-directory information of processes.

A practical approach is to run osquery with a query targeting the processes table and observe any abnormal or suspicious process entries with unusually large command-line or current-directory strings.

  • Example osquery command to query the processes table: SELECT pid, name, command_line, current_directory FROM processes;
  • Monitor logs or outputs for unusually large or malformed command_line or current_directory fields that could indicate attempts to exploit the buffer overflow.
Mitigation Strategies

The primary mitigation is to upgrade osquery to version 5.23.1 or later, where the vulnerability has been fixed by clamping the PEB string lengths to prevent buffer overflows.

If immediate patching is not feasible, a recommended workaround is to disable queries to the processes table on Windows systems to prevent exploitation.

Additionally, monitoring and restricting local unprivileged user access to osquery or limiting the ability to run queries against the processes table can reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart