Skip to main content

Wazuh Agent CVE-2026-40106

MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-07-16 GitHub_M
4.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AT:P reflects the specific prerequisite that the Wazuh syscheck configuration must include wildcard registry paths and the attacker must have write access to create subkeys under those monitored paths.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 01:10 vuln.today

DescriptionCVE.org

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards (* or ?), the agent allocates a fixed-size heap buffer of 256 bytes (OS_SIZE_256). By creating a registry subkey with a maximum allowed length (255 characters) inside a monitored path, a low-privileged local attacker can force an out-of-bounds write during string concatenation. Since wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, this can lead to a silent Denial of Service (blinding the agent) or potentially Local Privilege Escalation (LPE). This issue has been fixed in version 4.14.5.

AnalysisAI

Heap-based buffer overflow in the Wazuh agent for Windows (versions 4.6.0 through 4.14.4) allows a low-privileged local attacker to corrupt heap memory by placing a maximum-length registry subkey name under a syscheck-monitored wildcard path, exploiting a fixed 256-byte allocation in the wildcard expansion routine. Because wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, successful exploitation can silently crash the security agent - creating a detection blind spot - or potentially escalate attacker privileges to SYSTEM level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged local Windows account
Delivery
Identify wildcard registry path in Wazuh syscheck config
Exploit
Create 255-character registry subkey under monitored path
Execution
Syscheck wildcard expansion overflows 256-byte heap buffer
Impact
Agent crash silences host detection (DoS) or heap corruption yields SYSTEM code execution (potential LPE)

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account on the target Windows host with at least low-level user privileges (PR:L confirmed by CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local attack surface and high attack complexity, but may understate practical risk in some threat models. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Windows user identifies (or guesses) a wildcard registry path configured in the local Wazuh agent's syscheck rules - for example, HKLM\SOFTWARE\Vendor\* - and creates a subkey with a 255-character name under that path, a standard operation requiring only registry write permission to the parent key. On the next syscheck scan cycle, the agent's wildcard expansion routine allocates a 256-byte heap buffer and attempts to concatenate the monitored path prefix with the 255-character subkey name, overflowing the buffer into adjacent heap memory. …
Remediation The primary remediation is to upgrade the Wazuh agent on all Windows hosts to version 4.14.5 or later, which resolves the fixed-size buffer allocation in the syscheck wildcard expansion routine; vendor advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-qvrc-pcfc-jhqc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wazuh

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2021-44079 CRITICAL POC
9.8 Nov 22

In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman

CVE-2026-25769 CRITICAL POC
9.1 Mar 17

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi

CVE-2018-19666 HIGH POC
7.8 Nov 29

The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa

CVE-2024-1243 HIGH POC
7.2 Jun 11

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al

CVE-2021-41821 MEDIUM POC
6.5 Sep 29

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o

CVE-2026-56699 CRITICAL
10.0 Jul 15

NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation

CVE-2024-32038 CRITICAL
9.8 Apr 19

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C

CVE-2026-25770 CRITICAL
9.1 Mar 17

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth

CVE-2026-30893 CRITICAL POC
9.0 Apr 29

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that

CVE-2023-42455 HIGH
8.8 Oct 09

Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln

CVE-2022-40497 HIGH
8.8 Sep 28

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe

Share

CVE-2026-40106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy