{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25790", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.639Z", "datePublished": "2026-03-17T18:41:45.834Z", "dateUpdated": "2026-03-18T14:56:08.611Z"}, "containers": {"cna": {"title": "Wazuh has Stack-Based Buffer Overflow in Security Configuration Assessment JSON Parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2"}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"version": ">= 3.9.0, < 4.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:41:45.834Z"}, "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, \"%lf\", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a \"1\" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue."}], "source": {"advisory": "GHSA-cf24-hq8x-5jx2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:55:37.179736Z", "id": "CVE-2026-25790", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:56:08.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25790", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:55:37.179736Z"}}}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:55:58.254Z"}}], "cna": {"title": "Wazuh has Stack-Based Buffer Overflow in Security Configuration Assessment JSON Parser", "source": {"advisory": "GHSA-cf24-hq8x-5jx2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"status": "affected", "version": ">= 3.9.0, < 4.14.3"}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, \"%lf\", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a \"1\" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:41:45.834Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25790", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:56:08.611Z", "dateReserved": "2026-02-05T19:58:01.639Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T18:41:45.834Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "matchCriteriaId": "14C059C9-DABB-4394-A21B-E224DC3C50D2", "versionEndExcluding": "4.14.3", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of `sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, \"%lf\", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a \"1\" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue."}, {"lang": "es", "value": "Wazuh es una plataforma de c\u00f3digo abierto y gratuita utilizada para la prevenci\u00f3n, detecci\u00f3n y respuesta a amenazas. A partir de la versi\u00f3n 3.9.0 y antes de la versi\u00f3n 4.14.3, existen m\u00faltiples desbordamientos de b\u00fafer basados en pila en el decodificador de Evaluaci\u00f3n de la Configuraci\u00f3n de Seguridad (SCA) ('wazuh-analysisd'). El uso de 'sprintf' con un especificador de formato de punto flotante ('%lf') en un b\u00fafer de tama\u00f1o fijo de 128 bytes permite a un atacante remoto desbordar la pila. Un evento JSON especialmente dise\u00f1ado puede desencadenar este desbordamiento, lo que lleva a una denegaci\u00f3n de servicio (ca\u00edda) o a una RCE potencial en el gestor de Wazuh. La vulnerabilidad se encuentra en '/src/analysisd/decoders/security_configuration_assessment.c', dentro de las funciones 'FillScanInfo' y 'FillCheckEventInfo'. En m\u00faltiples ubicaciones, se asigna un b\u00fafer de 128 bytes ('char value[OS_SIZE_128];') en la pila para almacenar la representaci\u00f3n en cadena de un n\u00famero de un evento JSON. El c\u00f3digo verifica si el n\u00famero es un entero o un doble. Si es un doble, utiliza 'sprintf(value, \"%lf\", ...)' para realizar la conversi\u00f3n. Esta llamada a 'sprintf' no tiene l\u00edmites. Si se proporciona un n\u00famero de punto flotante con un exponente grande (por ejemplo, '1.0e150'), 'sprintf' intentar\u00e1 escribir su representaci\u00f3n completa en cadena (un '1' seguido de 150 ceros), que es m\u00e1s grande que el b\u00fafer de 128 bytes, corrompiendo la pila. La versi\u00f3n 4.14.3 corrige el problema."}], "id": "CVE-2026-25790", "lastModified": "2026-03-19T17:14:09.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-17T19:16:01.493", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-cf24-hq8x-5jx2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.9.0,4.14.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wazuh", "source": "cna", "vendor": "wazuh"}, "product": "wazuh", "vendor": "wazuh"}], "analysis": {"en": {"generated_at": "2026-03-19T18:35:48.402440+00:00", "value": {"mitigation_remediation": ["Apply the official patch (upgrade to Wazuh 4.14.3 or later)", "If you cannot patch immediately, limit or block unsolicited JSON events to the Wazuh manager to reduce exposure", "After updating, verify that the wazuh-analysisd service restarts successfully and monitor for any abnormal process behavior"], "summary": {"action": "Patch Immediately", "impact": "Denial of Service / Possible Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are Wazuh installations using the wazuh package. The flaw exists from version 3.9.0 up to, but not including, 4.14.3. Versions 4.14.3 and later have been patched to eliminate the use of the unsafe sprintf call. Therefore any Wazuh manager running a version in the 3.9.0\u20134.14.2 range is vulnerable.", "description_and_impact": "The vulnerability is a stack-based buffer overflow in the Security Configuration Assessment JSON parser in Wazuh. The flaw occurs when the decoder uses an unbounded sprintf with a %lf format to store a floating-point number in a fixed 128\u2011byte buffer. A specially crafted JSON event that contains a large exponent floating\u2011point value can cause the buffer to be overrun, resulting in stack corruption. Depending on how the overflow is leveraged, an attacker could cause a denial of service by crashing the Wazuh manager or potentially execute arbitrary code on the manager host. This weakness is mapped to CWE\u2011121 (stack\u2011based buffer overflow) and CWE\u2011787 (buffer access with incorrect length).", "risk_and_exploitability": "The CVSS score for this issue is 4.9, which falls into the moderate severity range. The EPSS score is less than 1%, indicating that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is remote; an attacker only needs to send the crafted JSON event to the wazuh-analysisd daemon. Since the decoder runs in the privileged manager process, successful exploitation could lead to a denial of service or higher privilege execution depending on how the stack corruption is used. Prompt patching mitigates the risk entirely."}}}}, "created": "2026-03-18T12:12:58.825186+00:00", "updated": "2026-03-24T10:48:53.561807+00:00", "vendors": ["wazuh", "wazuh$PRODUCT$wazuh"]}