CVE-2026-56401
Awaiting Analysis Awaiting Analysis - Queue

Null Pointer Dereference in Wazuh wazuh-modulesd

Vulnerability report for CVE-2026-56401, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventory_sync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting the optional id field, causing wazuh-modulesd to crash when dereferencing data->id()->string_view() without null validation, resulting in denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wazuh wazuh-modulesd to 5.0.0-beta3 (exc)
wazuh wazuh_manager to 5.0.0-beta3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56401 is a null pointer dereference vulnerability in the Wazuh wazuh-modulesd component before version 5.0.0-beta3. It occurs in the inventory_sync FlatBuffer DataValue handling when an enrolled agent sends a verifier-valid DataValue message that omits the optional id field. The wazuh-modulesd process attempts to dereference data->id()->string_view() without checking if data->id() is null, causing the process to crash.

This crash results in a denial of service condition for the manager-side Inventory Sync processing.

Impact Analysis

This vulnerability can cause the wazuh-modulesd process on the Wazuh Manager to crash, leading to a denial of service (DoS). An enrolled agent can exploit this by sending a specially crafted DataValue message that omits the optional id field, triggering the crash.

The impact is primarily on availability, as the manager-side Inventory Sync processing becomes unavailable until the service is restarted or the issue is resolved.

Detection Guidance

This vulnerability causes the wazuh-modulesd process to crash due to a null pointer dereference when handling a crafted DataValue message missing the optional id field.

Detection can involve monitoring for unexpected crashes or restarts of the wazuh-modulesd service, especially after receiving inventory_sync messages from enrolled agents.

Since the issue is triggered by a specific malformed DataValue message, network detection could focus on inspecting inventory_sync FlatBuffer messages for missing id fields, though no specific commands are provided in the available resources.

A practical approach is to check the version of wazuh-modulesd to confirm if it is before 5.0.0-beta3, which is vulnerable.

Example command to check the installed version of wazuh-modulesd:

  • wazuh-modulesd -v

Additionally, monitoring system logs for crashes or segmentation faults related to wazuh-modulesd can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade wazuh-modulesd to version 5.0.0-beta3 or later, where the null pointer dereference vulnerability has been fixed.

If upgrading immediately is not possible, consider restricting or monitoring enrolled agents to prevent them from sending malformed DataValue messages that omit the id field.

Implement runtime validation or patch the code to check for null before dereferencing the id field in inventory_sync FlatBuffer handling, if you maintain a custom build.

Monitor wazuh-modulesd for crashes and restart the service as needed to maintain availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart