CVE-2026-28221

CVE-2026-28221 is a stack-based buffer overflow vulnerability in the print_hex_string() function within the wazuh-remoted component of Wazuh, a free and open-source platform for threat prevention, detection, and response. The issue affects versions from 4.8.0 up to but not including 4.14.4 and arises on platforms where char is treated as signed, causing the compiled code to sign-extend bytes before a variadic sprintf call. Specifically, formatting attacker-controlled bytes such as 0xFF with sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) can emit "ffffffff" (8 characters) instead of "ff" (2 characters), leading to an out-of-bounds write beyond a fixed 2049-byte stack buffer. Additionally, the vulnerability enables remote log amplification via repeated hex dumps logged to /var/ossec/logs/ossec.log.

The vulnerability is exploitable remotely by unauthenticated attackers connecting to TCP port 1514 prior to any agent authentication or registration. An oversized length prefix in a message triggers the "unexpected message (hex)" diagnostic path, invoking the flawed print_hex_string() and causing the buffer overflow. Even without the sign-extension overflow (e.g., using bytes below 0x80), the same path logs attacker-controlled hex dumps, enabling log amplification that degrades monitoring fidelity and consumes disk and I/O resources. The CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) reflects network accessibility with low complexity, no privileges required, and impacts to integrity and availability but not confidentiality. Associated CWEs are CWE-121 (Stack-based Buffer Overflow) and CWE-400 (Uncontrolled Resource Consumption).

Wazuh has addressed this issue in version 4.14.4, as detailed in the release notes and security advisory GHSA-q9vv-7w4c-f4cm. Security practitioners should upgrade to 4.14.4 or later to mitigate the buffer overflow and log amplification risks.