CVE-2026-25790
Published: 17 March 2026
Summary
CVE-2026-25790 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Wazuh Wazuh. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by requiring timely application of the vendor patch (version 4.14.3) that replaces unsafe sprintf usage in the SCA decoder.
Implements memory protections such as stack canaries, ASLR, and DEP that prevent or detect exploitation of the stack buffer overflow in wazuh-analysisd.
Requires validation of incoming JSON events to restrict floating-point numbers with large exponents that produce strings exceeding the 128-byte stack buffer.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of stack buffer overflow in exposed Wazuh manager (analysisd) directly enables T1190 for RCE potential and T1499.004 for application crash/DoS via crafted JSON input.
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (`wazuh-analysisd`). The use of…
more
`sprintf` with a floating-point (`%lf`) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in `/src/analysisd/decoders/security_configuration_assessment.c`, within the `FillScanInfo` and `FillCheckEventInfo` functions. In multiple locations, a 128-byte buffer (`char value[OS_SIZE_128];`) is allocated on the stack to hold the string representation of a number from a JSON event. The code checks if the number is an integer or a double. If it's a double, it uses `sprintf(value, "%lf", ...)` to perform the conversion. This `sprintf` call is unbounded. If a floating-point number with a large exponent (e.g., `1.0e150`) is provided, `sprintf` will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.
Deeper analysisAI
CVE-2026-25790 is a stack-based buffer overflow vulnerability affecting the Wazuh platform, a free and open-source solution for threat prevention, detection, and response. The issue resides in the Security Configuration Assessment (SCA) decoder within the wazuh-analysisd component, specifically in the file `/src/analysisd/decoders/security_configuration_assessment.c` in the `FillScanInfo` and `FillCheckEventInfo` functions. Starting from version 3.9.0 and prior to version 4.14.3, the code allocates a fixed-size 128-byte stack buffer (`char value[OS_SIZE_128]`) to store string representations of numbers parsed from JSON events. When encountering a double-precision floating-point value, it uses an unbounded `sprintf(value, "%lf", ...)` call, which can overflow the buffer if provided with a number featuring a large exponent, such as `1.0e150`, resulting in a string longer than 128 bytes.
A remote attacker can exploit this vulnerability by sending a specially crafted JSON event to the Wazuh manager. Exploitation requires high privileges (PR:H) on the target system, with network access (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). Successful exploitation leads to a denial of service via a crash of the wazuh-analysisd process, with potential for remote code execution (RCE) due to stack corruption. The CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) reflects high availability impact but no confidentiality or integrity effects in the scoped assessment, linked to CWEs 121 (Stack-based Buffer Overflow) and 787 (Out-of-bounds Write).
The Wazuh security advisory (GHSA-cf24-hq8x-5jx2) confirms that version 4.14.3 addresses the vulnerability by patching the unsafe `sprintf` usage in the affected functions. Security practitioners should upgrade to Wazuh 4.14.3 or later to mitigate the issue.
Details
- CWE(s)