CVE-2026-25790 Overview
CVE-2026-25790 is a stack-based buffer overflow [CWE-121] in the Wazuh Security Configuration Assessment (SCA) decoder component wazuh-analysisd. The flaw affects Wazuh versions 3.9.0 through 4.14.2. An authenticated remote attacker can submit a specially crafted JSON event containing a floating-point number with a large exponent. The wazuh-analysisd process uses sprintf with the %lf format specifier against a fixed 128-byte stack buffer, allowing the attacker to corrupt the stack. Successful exploitation causes a denial of service on the Wazuh manager and may enable remote code execution. Wazuh released version 4.14.3 to address the vulnerability.
Critical Impact
A remote attacker with privileged access can crash the Wazuh manager or potentially execute arbitrary code by submitting a JSON event containing an oversized floating-point value.
Affected Products
- Wazuh versions 3.9.0 through 4.14.2
- Wazuh manager component (wazuh-analysisd)
- Security Configuration Assessment (SCA) decoder module
Discovery Timeline
- 2026-03-17 - CVE-2026-25790 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-25790
Vulnerability Analysis
The vulnerability resides in /src/analysisd/decoders/security_configuration_assessment.c within the FillScanInfo and FillCheckEventInfo functions. Both functions allocate a fixed-size stack buffer declared as char value[OS_SIZE_128]; to hold the string representation of numeric values extracted from JSON events. When the decoder detects that a numeric field is a double, it invokes sprintf(value, "%lf", ...) to format the value into the buffer.
The sprintf call performs no bounds checking against the destination buffer size. A floating-point number with a large exponent such as 1.0e150 expands into a string representation containing a 1 followed by 150 zeros and a decimal portion. This output far exceeds the 128-byte buffer and overwrites adjacent stack memory, including saved return addresses and frame pointers.
Root Cause
The root cause is the unbounded use of sprintf with the %lf format specifier against a fixed-size stack allocation. The developers assumed that the formatted output would fit within OS_SIZE_128, but the %lf specifier produces output proportional to the exponent magnitude rather than a fixed width. Safer alternatives such as snprintf with explicit length limits would have prevented the overflow.
Attack Vector
An attacker requires high privileges to submit JSON events processed by the SCA decoder pipeline. The attacker crafts a JSON payload containing a floating-point field with a very large exponent. When wazuh-analysisd processes the event, the SCA decoder calls FillScanInfo or FillCheckEventInfo, triggering the overflow. The corrupted stack causes the analysis daemon to crash, halting threat detection across the entire Wazuh deployment. Stack overwrite of return addresses creates conditions for arbitrary code execution on the manager host.
The vulnerability mechanism is described in the Wazuh GitHub Security Advisory GHSA-cf24-hq8x-5jx2.
Detection Methods for CVE-2026-25790
Indicators of Compromise
- Unexpected crashes or restarts of the wazuh-analysisd process on the Wazuh manager
- Core dump files generated by wazuh-analysisd containing oversized floating-point strings
- JSON SCA events containing numeric fields with abnormally large exponents such as 1.0e150
- Gaps in SCA event processing or missing scan results in the Wazuh dashboard
Detection Strategies
- Inspect ingested JSON events for floating-point literals exceeding reasonable magnitude thresholds before they reach wazuh-analysisd
- Monitor wazuh-analysisd process health and restart counters for anomalous patterns
- Review Wazuh manager logs for decoder errors referencing security_configuration_assessment.c
Monitoring Recommendations
- Enable system-level crash reporting and core dump collection on Wazuh manager hosts
- Alert on repeated termination of the wazuh-analysisd service within short time windows
- Track agent-submitted SCA events for malformed or unusually large numeric fields
How to Mitigate CVE-2026-25790
Immediate Actions Required
- Upgrade all Wazuh manager instances to version 4.14.3 or later as the primary remediation
- Audit access to agent enrollment keys and restrict which principals can submit SCA events
- Review wazuh-analysisd crash history to identify any prior exploitation attempts
Patch Information
Wazuh version 4.14.3 patches the issue by replacing the unbounded sprintf calls in FillScanInfo and FillCheckEventInfo with bounded formatting. Administrators should consult the Wazuh GitHub Security Advisory GHSA-cf24-hq8x-5jx2 for full upgrade guidance and validate manager-agent version compatibility after upgrading.
Workarounds
- Restrict network access to the Wazuh manager ports so only trusted agents can submit events
- Disable the SCA module on agents until the manager upgrade is complete if operational requirements permit
- Apply strict input validation at any custom integration points that forward JSON events to wazuh-analysisd
# Verify the installed Wazuh manager version
/var/ossec/bin/wazuh-control info
# Upgrade to the patched release on Debian/Ubuntu
apt-get update && apt-get install --only-upgrade wazuh-manager=4.14.3-1
# Restart the manager after upgrade
systemctl restart wazuh-manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
