CVE-2026-25772
Published: 17 March 2026
Summary
CVE-2026-25772 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Wazuh Wazuh. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this CVE by mandating upgrades to the fixed version 4.14.3 to eliminate the buffer overflow vulnerability.
SI-16 implements memory protection mechanisms like stack canaries and ASLR that directly mitigate stack-based buffer overflows by preventing corruption and exploitation.
SI-10 enforces input validation on database synchronization payloads to restrict sizes exceeding the 2048-byte buffer, preventing the integer underflow trigger.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in network-accessible DB sync service directly enables remote service exploitation (T1210) for DoS via application/system exploitation (T1499.004); potential RCE path supports exploitation for privilege escalation (T1068) despite high required privileges.
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query…
more
construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue.
Deeper analysisAI
CVE-2026-25772 is a stack-based buffer overflow vulnerability in the Wazuh Database synchronization module, specifically in the file wdb_delta_event.c. Wazuh is a free and open-source platform for threat prevention, detection, and response. The issue affects versions starting from 4.4.0 and prior to 4.14.3. It arises from an integer underflow in the SQL query construction logic, where the code incorrectly aggregates the return value of snprintf when calculating the remaining buffer size. If a database synchronization payload exceeds the 2048-byte query buffer size, the calculation wraps around to a massive integer, disabling bounds checking and allowing stack corruption.
An attacker requires high privileges (PR:H) and network access (AV:N) with low attack complexity (AC:L) to exploit this vulnerability, with no user interaction needed (UI:N). Successful exploitation leads to high availability impact (A:H), enabling a denial of service (DoS) through stack corruption. The vulnerability also carries potential for remote code execution (RCE), though the CVSS v3.1 base score of 4.9 reflects unchanged scope (S:U) and no impact on confidentiality or integrity.
The Wazuh GitHub security advisory (GHSA-h7vp-j34v-h6j5) confirms the fix in version 4.14.3, which addresses the improper snprintf handling and buffer size calculation. Security practitioners should upgrade to 4.14.3 or later and review access controls for the database synchronization module to mitigate risks from privileged users. The vulnerability is associated with CWE-121 (Stack-based Buffer Overflow) and CWE-191 (Integer Underflow).
Details
- CWE(s)