CVE-2026-25790 - Vulnerability Details

- Wazuh has Stack-Based Buffer Overflow in Security Configuration Assessment JSON Parser

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, "%lf", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.

Published: 2026-03-17

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stack-based buffer overflow in the Security Configuration Assessment JSON parser in Wazuh. The flaw occurs when the decoder uses an unbounded sprintf with a %lf format to store a floating-point number in a fixed 128‑byte buffer. A specially crafted JSON event that contains a large exponent floating‑point value can cause the buffer to be overrun, resulting in stack corruption. Depending on how the overflow is leveraged, an attacker could cause a denial of service by crashing the Wazuh manager or potentially execute arbitrary code on the manager host. This weakness is mapped to CWE‑121 (stack‑based buffer overflow) and CWE‑787 (buffer access with incorrect length).

Affected Systems

Affected systems are Wazuh installations using the wazuh package. The flaw exists from version 3.9.0 up to, but not including, 4.14.3. Versions 4.14.3 and later have been patched to eliminate the use of the unsafe sprintf call. Therefore any Wazuh manager running a version in the 3.9.0–4.14.2 range is vulnerable.

Risk and Exploitability

The CVSS score for this issue is 4.9, which falls into the moderate severity range. The EPSS score is less than 1%, indicating that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is remote; an attacker only needs to send the crafted JSON event to the wazuh-analysisd daemon. Since the decoder runs in the privileged manager process, successful exploitation could lead to a denial of service or higher privilege execution depending on how the stack corruption is used. Prompt patching mitigates the risk entirely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wazuh

affected

Version	Status	Constraints
`>= 3.9.0, < 4.14.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wazuh

100%

Version	Status	Scheme	Platform
`[3.9.0,4.14.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch (upgrade to Wazuh 4.14.3 or later)
If you cannot patch immediately, limit or block unsolicited JSON events to the Wazuh manager to reduce exposure
After updating, verify that the wazuh-analysisd service restarts successfully and monitor for any abnormal process behavior

Generated by OpenCVE AI on March 19, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00116.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2

History

Thu, 19 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wazuh:wazuh::::::::

Wed, 18 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wazuh Wazuh wazuh
Vendors & Products		Wazuh Wazuh wazuh

Tue, 17 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, "%lf", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.
Title		Wazuh has Stack-Based Buffer Overflow in Security Configuration Assessment JSON Parser
Weaknesses		CWE-121 CWE-787
References		https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Wazuh Wazuh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-17T18:41:45.834Z

Updated: 2026-03-18T14:56:08.611Z

Reserved: 2026-02-05T19:58:01.639Z

Link: CVE-2026-25790

Vulnrichment

Updated: 2026-03-18T14:55:58.254Z

NVD

Status : Analyzed

Published: 2026-03-17T19:16:01.493

Modified: 2026-03-19T17:14:09.187

Link: CVE-2026-25790

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:48:53Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object