Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
Published: 2026-04-29
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based out‑of‑bounds write allows the system to write a null byte one byte before the start of a buffer created by strdup in GetAlertData. This corrupts heap metadata and can lead to denial of service or arbitrary corruption when a malformed alert is injected into the alerts log file. The weakness is a buffer underflow that propagates to critical heap structures.

Affected Systems

The flaw affects all Wazuh installations from version 1.0.0 up to, but not including, 4.14.4. Any system running these versions and accepting alerts from agents is vulnerable. Updated releases 4.14.4 and later include a patch that fixes the underflow.

Risk and Exploitability

The CVSS base score of 4.4 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in KEV, suggesting limited widespread exploitation. Attackers would need to compromise or control an agent to inject a crafted alert that triggers the write. Once the heap is corrupted, a server restart or process crash can occur, causing denial of service. The absence of remote code execution limits impact, but the loss of service can be significant for high‑availability deployments. Given the lack of public exploit evidence, the risk is considered moderate but still actionable.

Generated by OpenCVE AI on April 29, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.4 or later.
  • If upgrading immediately is not possible, isolate affected agents and stop the wazuh-logcollector from processing alerts from untrusted sources.
  • Audit and monitor the alerts log for suspicious patterns; update configuration to enforce strict validation of alert content.

Generated by OpenCVE AI on April 29, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Wed, 29 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
Title Wazuh: Heap-based NULL WRITE Buffer Underflow in GetAlertData
Weaknesses CWE-124
CWE-191
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-30T12:48:18.639Z

Reserved: 2026-02-11T19:56:24.814Z

Link: CVE-2026-26204

cve-icon Vulnrichment

Updated: 2026-04-30T12:47:46.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T18:16:04.820

Modified: 2026-04-30T20:40:53.320

Link: CVE-2026-26204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses