Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Published: 2026-04-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to corrupt the heap by writing a single byte before an allocated buffer in the parse_uname_string() function of Wazuh. The flaw exists in four locations within the function and occurs when an empty string is processed, causing an unsigned integer underflow that writes to the heap metadata. The resulting corruption can compromise the integrity of the process and potentially enable arbitrary code execution, reflecting CWE‑124 and CWE‑191 weaknesses.

Affected Systems

The affected product is Wazuh, an open‑source security platform. Versions from 4.0.0 up to and including 4.14.3 are affected. The issue was fixed in Wazuh 4.14.4.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through data sent by an agent or the remote API that processes OS identification, though the description does not explicitly state the exact vector; this is inferred based on the function’s role in handling remote agent data. Exploitation would require an attacker to supply an empty string to parse_uname_string, which may be possible if an adversary can control agent communication. The risk of arbitrary code execution remains contingent on the attacker’s ability to inject such data and the presence of additional vulnerabilities that could be leveraged once heap corruption occurs.

Generated by OpenCVE AI on April 29, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.4 or later.
  • Rebuild and reinstall all agents using the updated Wazuh installation to ensure fresh OS identification data is parsed by the patched function.
  • Until the upgrade is applied, restrict agent communication to trusted networks and enforce strong authentication to prevent untrusted agents from sending malformed OS identification strings.

Generated by OpenCVE AI on April 29, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Title Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()
Weaknesses CWE-124
CWE-191
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-29T18:31:46.154Z

Reserved: 2026-04-20T16:14:19.009Z

Link: CVE-2026-41499

cve-icon Vulnrichment

Updated: 2026-04-29T18:31:20.619Z

cve-icon NVD

Status : Received

Published: 2026-04-29T19:16:23.780

Modified: 2026-04-29T19:16:23.780

Link: CVE-2026-41499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses