CVE-2026-26204: Heap Out-of-Bounds Write in Wazuh
Platform
linux
Component
wazuh
Fixed in
4.14.4
CVE-2026-26204 describes a heap-based out-of-bounds write vulnerability discovered in Wazuh, a threat prevention, detection, and response platform. This flaw allows a malicious actor, potentially through a compromised Wazuh agent, to trigger denial of service or heap corruption. The vulnerability affects Wazuh versions from 1.0.0 up to, but not including, version 4.14.4. A fix is available in Wazuh version 4.14.4.
Impact and Attack Scenarios
The core of this vulnerability lies in the GetAlertData function, where an unsigned integer underflow leads to incorrect pointer arithmetic. This results in a write operation occurring one byte before the allocated buffer, corrupting heap metadata. Successful exploitation doesn't require complex preconditions; a specially crafted alert injected through a compromised agent is sufficient to trigger the issue. The immediate impact is denial of service, potentially crashing the Wazuh manager. More concerning is the potential for heap corruption, which could allow an attacker to gain control of the Wazuh process and potentially escalate privileges or execute arbitrary code on the system. While no direct precedent exists for this specific heap corruption pattern in Wazuh, similar vulnerabilities in other applications have been leveraged for remote code execution, highlighting the severity of the risk.
Exploitation Context
CVE-2026-26204 was published on April 29, 2026. The EPSS score is pending evaluation, but the potential for denial of service and heap corruption suggests a medium to high probability of exploitation. No public proof-of-concept (POC) code has been released as of this writing, but the vulnerability's relatively straightforward nature makes it likely that a POC will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Wazuh.
Threat Intelligence
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to upgrade Wazuh to version 4.14.4 or later, which contains the fix for this out-of-bounds write. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a WAF or proxy cannot directly prevent this vulnerability (as it occurs within the Wazuh agent), strict input validation on alerts received from agents can help reduce the attack surface. Specifically, limit the size and complexity of alert data. Monitor Wazuh logs for unusual patterns or errors related to alert processing, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a test alert and verifying that the GetAlertData function no longer exhibits the out-of-bounds write behavior using debugging tools or memory analysis techniques.
How to fix
Actualice a la versión 4.14.4 o superior para mitigar la vulnerabilidad. Esta actualización corrige un error de escritura fuera de límites en la memoria que podría permitir la corrupción de la memoria o la denegación de servicio.
Frequently asked questions
What is CVE-2026-26204 — Heap Out-of-Bounds Write in Wazuh?
CVE-2026-26204 is a vulnerability in Wazuh versions 1.0.0–<4.14.4 that allows a compromised agent to trigger denial of service or heap corruption through a crafted alert. It's classified as MEDIUM severity.
Am I affected by CVE-2026-26204 in Wazuh?
You are affected if you are running Wazuh versions 1.0.0 through 4.13.x. Verify your Wazuh version using wazuh-version and upgrade if necessary.
How do I fix CVE-2026-26204 in Wazuh?
Upgrade Wazuh to version 4.14.4 or later. If immediate upgrade is not possible, implement temporary workarounds like strict alert input validation.
Is CVE-2026-26204 being actively exploited?
No public exploitation is currently known, but the vulnerability's nature suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Where can I find the official Wazuh advisory for CVE-2026-26204?
Refer to the Wazuh security advisories page: [https://www.wazuh.com/security-advisories/](https://www.wazuh.com/security-advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...