CVE-2026-25790

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, "%lf", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2	Exploit Vendor Advisory Mitigation
https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-17 19:16

Updated : 2026-03-19 17:14

NVD link : CVE-2026-25790

Mitre link : CVE-2026-25790

CVE.ORG link : CVE-2026-25790

JSON object : View

Products Affected

wazuh

wazuh

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-25790", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-03-17T19:16:01.493", "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, \"%lf\", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a \"1\" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue."}, {"lang": "es", "value": "Wazuh es una plataforma de c\u00f3digo abierto y gratuita utilizada para la prevenci\u00f3n, detecci\u00f3n y respuesta a amenazas. A partir de la versi\u00f3n 3.9.0 y antes de la versi\u00f3n 4.14.3, existen m\u00faltiples desbordamientos de b\u00fafer basados en pila en el decodificador de Evaluaci\u00f3n de la Configuraci\u00f3n de Seguridad (SCA) ('wazuh-analysisd'). El uso de 'sprintf' con un especificador de formato de punto flotante ('%lf') en un b\u00fafer de tama\u00f1o fijo de 128 bytes permite a un atacante remoto desbordar la pila. Un evento JSON especialmente dise\u00f1ado puede desencadenar este desbordamiento, lo que lleva a una denegaci\u00f3n de servicio (ca\u00edda) o a una RCE potencial en el gestor de Wazuh. La vulnerabilidad se encuentra en '/src/analysisd/decoders/security_configuration_assessment.c', dentro de las funciones 'FillScanInfo' y 'FillCheckEventInfo'. En m\u00faltiples ubicaciones, se asigna un b\u00fafer de 128 bytes ('char value[OS_SIZE_128];') en la pila para almacenar la representaci\u00f3n en cadena de un n\u00famero de un evento JSON. El c\u00f3digo verifica si el n\u00famero es un entero o un doble. Si es un doble, utiliza 'sprintf(value, \"%lf\", ...)' para realizar la conversi\u00f3n. Esta llamada a 'sprintf' no tiene l\u00edmites. Si se proporciona un n\u00famero de punto flotante con un exponente grande (por ejemplo, '1.0e150'), 'sprintf' intentar\u00e1 escribir su representaci\u00f3n completa en cadena (un '1' seguido de 150 ceros), que es m\u00e1s grande que el b\u00fafer de 128 bytes, corrompiendo la pila. La versi\u00f3n 4.14.3 corrige el problema."}], "lastModified": "2026-03-19T17:14:09.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14C059C9-DABB-4394-A21B-E224DC3C50D2", "versionEndExcluding": "4.14.3", "versionStartIncluding": "3.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}