CVE-2026-25772
Wazuh Database Synchronization Vulnerable to Stack-based Buffer Overflow via snprintf Integer Underflow
Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue.
INFO
Published Date :
March 17, 2026, 7:16 p.m.
Last Modified :
March 19, 2026, 5:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Wazuh to version 4.14.3 or later.
- Ensure the database synchronization module is protected.
- Monitor system logs for unusual activity.
Public PoC/Exploit Available at Github
CVE-2026-25772 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-25772.
| URL | Resource |
|---|---|
| https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5 | Exploit Vendor Advisory Mitigation |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-25772 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-25772
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Config files for my GitHub profile.
config github-config
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-25772 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-25772 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 19, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* versions from (including) 4.4.0 up to (excluding) 4.14.3 Added Reference Type GitHub, Inc.: https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5 Types: Exploit, Mitigation, Vendor Advisory -
New CVE Received by [email protected]
Mar. 17, 2026
Action Type Old Value New Value Added Description Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue. Added CVSS V3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-191 Added CWE CWE-121 Added Reference https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5