Wazuh Agent
CVE-2026-40106
MEDIUM
Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
AT:P reflects the specific prerequisite that the Wazuh syscheck configuration must include wildcard registry paths and the attacker must have write access to create subkeys under those monitored paths.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards (* or ?), the agent allocates a fixed-size heap buffer of 256 bytes (OS_SIZE_256). By creating a registry subkey with a maximum allowed length (255 characters) inside a monitored path, a low-privileged local attacker can force an out-of-bounds write during string concatenation. Since wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, this can lead to a silent Denial of Service (blinding the agent) or potentially Local Privilege Escalation (LPE). This issue has been fixed in version 4.14.5.
AnalysisAI
Heap-based buffer overflow in the Wazuh agent for Windows (versions 4.6.0 through 4.14.4) allows a low-privileged local attacker to corrupt heap memory by placing a maximum-length registry subkey name under a syscheck-monitored wildcard path, exploiting a fixed 256-byte allocation in the wildcard expansion routine. Because wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, successful exploitation can silently crash the security agent - creating a detection blind spot - or potentially escalate attacker privileges to SYSTEM level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account on the target Windows host with at least low-level user privileges (PR:L confirmed by CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local attack surface and high attack complexity, but may understate practical risk in some threat models. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Windows user identifies (or guesses) a wildcard registry path configured in the local Wazuh agent's syscheck rules - for example, HKLM\SOFTWARE\Vendor\* - and creates a subkey with a 255-character name under that path, a standard operation requiring only registry write permission to the parent key. On the next syscheck scan cycle, the agent's wildcard expansion routine allocates a 256-byte heap buffer and attempts to concatenate the monitored path prefix with the 255-character subkey name, overflowing the buffer into adjacent heap memory. … |
| Remediation | The primary remediation is to upgrade the Wazuh agent on all Windows hosts to version 4.14.5 or later, which resolves the fixed-size buffer allocation in the syscheck wildcard expansion routine; vendor advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-qvrc-pcfc-jhqc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman
A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi
The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al
Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o
NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation
Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth
Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that
Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln
Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today