CVE-2026-41287 Overview
CVE-2026-41287 is a stack-based buffer overflow [CWE-121] in the WatchGuard Agent discovery service running on Windows hosts. The flaw allows an unauthenticated attacker positioned on the same local network segment to send crafted traffic that overflows a fixed-size stack buffer. Successful exploitation crashes the agent service, producing a denial-of-service condition on the affected endpoint. The vulnerability is reachable without credentials or user interaction, but requires adjacent network access rather than remote internet reachability. WatchGuard published an advisory tracking this issue under wgsa-2026-00010.
Critical Impact
An unauthenticated adjacent-network attacker can crash the WatchGuard Agent discovery service on Windows, disabling endpoint agent functionality.
Affected Products
- WatchGuard Agent for Windows (discovery service component)
- See the WatchGuard Security Advisory for affected version ranges
- Specific build numbers were not enumerated in the NVD record at publication
Discovery Timeline
- 2026-05-06 - CVE-2026-41287 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-41287
Vulnerability Analysis
The WatchGuard Agent discovery service listens on the local network to facilitate device and peer discovery. The service contains a stack-based buffer overflow reachable through the network input path. When a crafted discovery packet is processed, the service writes attacker-controlled data past the bounds of a stack-allocated buffer, corrupting adjacent stack memory including saved return addresses and frame pointers.
The documented impact is a service crash, consistent with availability loss only. Confidentiality and integrity are not reported as affected, and no working code execution exploit is known at the time of disclosure. Because Windows applies stack canaries and Data Execution Prevention by default, achieving reliable code execution from this primitive would require additional bypasses not described in the vendor advisory.
Root Cause
The root cause is missing or incorrect bounds checking on a length or size field used during discovery packet parsing [CWE-121]. The service trusts attacker-supplied size values when copying network data into a fixed-size stack buffer.
Attack Vector
An attacker on the same Layer 2 or routed adjacent network sends a malformed discovery message to a host running the vulnerable WatchGuard Agent. No authentication, credentials, or user interaction are required. The network reach is limited to the adjacent network, which constrains exposure to attackers who already have a foothold on the local segment, on guest Wi-Fi, or on a trusted VLAN that reaches managed endpoints.
No verified proof-of-concept code is available publicly. Refer to the WatchGuard Security Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-41287
Indicators of Compromise
- Unexpected termination or repeated restarts of the WatchGuard Agent discovery service on Windows endpoints
- Windows Application or System event log entries reporting an access violation in the WatchGuard Agent process
- Crash dump files generated by Windows Error Reporting referencing the WatchGuard discovery service binary
- Anomalous broadcast or multicast discovery traffic on management VLANs immediately preceding agent crashes
Detection Strategies
- Monitor service health for the WatchGuard Agent across the fleet and alert on abnormal stop or crash events
- Correlate Windows Error Reporting telemetry with network packet captures targeting the discovery service port
- Hunt for clusters of agent crashes affecting multiple hosts on the same subnet within a short window, which suggests active exploitation attempts
Monitoring Recommendations
- Enable verbose logging on the WatchGuard Agent and forward logs to a central SIEM for correlation
- Capture and baseline normal discovery protocol traffic on management segments to flag malformed packets
- Track agent uptime and version inventory to confirm patched builds are deployed across all Windows endpoints
How to Mitigate CVE-2026-41287
Immediate Actions Required
- Apply the fixed WatchGuard Agent build referenced in advisory wgsa-2026-00010 to all Windows endpoints
- Restrict the network segments where the agent is reachable, limiting adjacent-network exposure to trusted management VLANs
- Audit endpoint inventories to identify Windows hosts still running unpatched agent versions
Patch Information
WatchGuard published the official remediation in the WatchGuard Security Advisory wgsa-2026-00010. Administrators should consult the advisory for the exact fixed version and upgrade procedure, then deploy the update through their standard endpoint management workflow.
Workarounds
- Apply host-based firewall rules to block inbound traffic to the WatchGuard Agent discovery service from untrusted local subnets
- Segment guest networks and untrusted Wi-Fi away from VLANs hosting managed Windows endpoints
- Where business operations permit, temporarily disable the discovery service on exposed hosts until the patch is applied
# Example: restrict inbound discovery traffic on Windows endpoints to trusted management subnet only
New-NetFirewallRule -DisplayName "Block WatchGuard Agent Discovery from Untrusted" `
-Direction Inbound `
-Program "%ProgramFiles%\WatchGuard\Agent\WGAgent.exe" `
-Action Block `
-RemoteAddress Any
New-NetFirewallRule -DisplayName "Allow WatchGuard Agent Discovery from Management VLAN" `
-Direction Inbound `
-Program "%ProgramFiles%\WatchGuard\Agent\WGAgent.exe" `
-Action Allow `
-RemoteAddress 10.10.20.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
