CVE-2026-25790
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (wazuh-analysisd). The use of sprintf with a floating-point (%lf) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in /src/analysisd/decoders/security_configuration_assessment.c, within the FillScanInfo and FillCheckEventInfo functions. In multiple locations, a 128-byte buffer (char value[OS_SIZE_128];) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses sprintf(value, "%lf", ...) to perform the conversion. This sprintf call is unbounded. If a floating-point number with a large exponent (e.g., 1.0e150) is provided, sprintf will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| wazuh | wazuh | >= 3.9.0, < 4.14.3 | affected |
Weaknesses
- CWE-121: CWE-121: Stack-based Buffer Overflow
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.