Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue.
Published: 2026-03-17
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

An integer underflow occurs in the Wazuh Database synchronization module (wdb_delta_event.c) when constructing an SQL query using snprintf. The code incorrectly aggregates the return value, allowing the remaining buffer size calculation to wrap around to a very large integer if the payload exceeds 2048 bytes. This removes bounds checking for subsequent writes, corrupting the stack. The overflow can cause a Denial of Service or, in the worst case, Remote Code Execution. The vulnerability maps to CWE-121 (Stack-Based Buffer Overflow) and CWE-191 (Integer Underrun).

Affected Systems

Vendors: Wazuh. Product: wazuh. Affected versions: all releases starting with 4.4.0 up through 4.14.2. Version 4.14.3 contains the fix. The issue exists in the database synchronization component that handles external sync payloads.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack requires an attacker to supply an oversized synchronization payload, which could be delivered remotely if the sync interface is exposed or locally if the attacker has access to the database replication process. Based on the description, the likely attack vector is remote API or inter-node communication, but explicit vector data is not provided.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.3 or later to apply the patch that fixes the integer underflow and stack overflow.
  • Restart the Wazuh manager and monitor logs for any sync errors after upgrade.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue.
Title Wazuh Database Synchronization Vulnerable to Stack-based Buffer Overflow via snprintf Integer Underflow
Weaknesses CWE-121
CWE-191
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T18:55:55.613Z

Reserved: 2026-02-05T18:35:52.359Z

Link: CVE-2026-25772

cve-icon Vulnrichment

Updated: 2026-03-17T18:55:48.713Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T19:16:01.260

Modified: 2026-03-19T17:15:43.710

Link: CVE-2026-25772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:48:55Z

Weaknesses