CVE-2026-28221 Overview
CVE-2026-28221 is a stack-based buffer overflow [CWE-121] in the print_hex_string() function of wazuh-remoted, the component that handles agent communications in Wazuh. The flaw affects Wazuh versions 4.8.0 through 4.14.3 and is reachable remotely over TCP port 1514 before any agent authentication occurs. An unauthenticated attacker can send an oversized length-prefixed message to trigger the vulnerable hex-dump diagnostic path. The same path also writes attacker-controlled data to /var/ossec/logs/ossec.log, enabling remote log amplification that degrades monitoring fidelity. Wazuh patched the issue in version 4.14.4.
Critical Impact
Unauthenticated remote attackers can corrupt stack memory in wazuh-remoted and exhaust disk and I/O resources by amplifying logs through TCP/1514.
Affected Products
- Wazuh 4.8.0 through 4.14.3
- wazuh-remoted daemon listening on TCP/1514
- Wazuh manager deployments accepting agent connections
Discovery Timeline
- 2026-04-29 - CVE-2026-28221 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-28221
Vulnerability Analysis
The defect resides in the print_hex_string() helper used by wazuh-remoted to format raw bytes as hexadecimal for diagnostic logging. The function formats each byte using sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) into a fixed 2049-byte stack buffer. On platforms where char is signed, the compiler sign-extends each byte before passing it to the variadic sprintf call. A byte such as 0xFF is promoted to the integer 0xFFFFFFFF and printed as "ffffffff", producing eight characters where the format width assumed two.
Each high-bit byte therefore writes six additional characters beyond the planned offset, allowing the write index to exceed the 2049-byte boundary and corrupt adjacent stack memory. The vulnerable diagnostic path is reached when wazuh-remoted receives a message with an oversized length prefix and routes it through the "unexpected message (hex)" handler. This handler executes before agent authentication or registration.
Root Cause
The root cause is a sign-extension defect [CWE-121] in the interaction between the C type promotion rules and an unbounded sprintf format. The destination buffer was sized for the worst case of two hex characters per byte, but signed-char promotion violates that assumption when the high bit is set. Compiler and platform behavior determine whether the issue manifests.
Attack Vector
An attacker connects to TCP port 1514 on a Wazuh manager and sends a crafted message whose length prefix forces the daemon into the oversized-message diagnostic path. No agent key, certificate, or prior registration is required. The handler invokes print_hex_string() on attacker-controlled bytes, and bytes with the high bit set drive the out-of-bounds stack write. A separate, lower-effort abuse uses bytes below 0x80 to repeatedly invoke the same diagnostic, which appends large hex dumps to /var/ossec/logs/ossec.log and amplifies disk and I/O consumption.
No verified public exploit or proof-of-concept code is available. See the GitHub Security Advisory GHSA-q9vv-7w4c-f4cm for vendor technical details.
Detection Methods for CVE-2026-28221
Indicators of Compromise
- Rapid growth of /var/ossec/logs/ossec.log containing repeated "unexpected message" hex-dump entries from unknown source addresses.
- Connections to TCP/1514 from hosts that are not registered Wazuh agents.
- Crashes or restarts of the wazuh-remoted process recorded in system journals.
- Unusual disk-space or inode consumption on the Wazuh manager file system hosting /var/ossec/logs/.
Detection Strategies
- Alert on high-frequency "unexpected message" diagnostic events in ossec.log correlated to a single source IP.
- Monitor wazuh-remoted for abnormal termination, segmentation faults, or unexpected respawns by the Wazuh service supervisor.
- Inspect network telemetry for TCP/1514 sessions originating outside the agent address range or carrying malformed length prefixes.
Monitoring Recommendations
- Forward Wazuh manager logs and process telemetry to a centralized analytics platform for correlation.
- Establish baselines for ossec.log write rate and alert on sustained deviations.
- Track CPU, memory, and disk I/O on Wazuh managers to identify amplification activity early.
How to Mitigate CVE-2026-28221
Immediate Actions Required
- Upgrade all Wazuh managers running 4.8.0 through 4.14.3 to version 4.14.4 or later without delay.
- Restrict TCP/1514 to known agent subnets at the network or host firewall.
- Rotate agent credentials after patching to limit reuse of any data observed during the exposure window.
- Review /var/ossec/logs/ossec.log for evidence of repeated unexpected-message events.
Patch Information
Wazuh resolved the issue in version 4.14.4. See the Wazuh 4.14.4 release notes and the GitHub Security Advisory GHSA-q9vv-7w4c-f4cm for fix details. Apply the upgrade through standard Wazuh package channels for your distribution.
Workarounds
- Block inbound TCP/1514 from untrusted networks using firewall rules until the patch is applied.
- Place the Wazuh manager behind a VPN or jump host so only authenticated networks can reach the agent listener.
- Enable strict log rotation and disk-usage alerts on /var/ossec/logs/ to limit the impact of log amplification.
# Restrict TCP/1514 to a trusted agent subnet (Linux iptables example)
iptables -A INPUT -p tcp --dport 1514 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 1514 -j DROP
# Enforce aggressive rotation on the Wazuh log to limit amplification impact
cat >/etc/logrotate.d/ossec <<'EOF'
/var/ossec/logs/ossec.log {
hourly
rotate 24
size 100M
compress
missingok
notifempty
copytruncate
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

