CVE-2026-26204— Wazuh: Heap-based NULL WRITE Buffer Underflow in GetAlertData
Possible ATT&CK Techniques 2AI
T1499 · Endpoint Denial of Service T1203 · Exploitation for Client ExecutionGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-26204
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wazuh: Heap-based NULL WRITE Buffer Underflow in GetAlertData
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
缓冲区下溢
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wazuh 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wazuh是Wazuh开源的一个应用软件。用于收集,汇总,索引和分析安全数据,帮助组织检测入侵,威胁和行为异常。 Wazuh 1.0.0版本至4.14.4之前版本存在安全漏洞,该漏洞源于GetAlertData中基于堆的越界写入,可能导致拒绝服务或堆损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-26204
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-26204
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-26204 (1)
Vendor Pages for CVE-2026-26204 (1)
- Release Wazuh v4.14.4 · wazuh/wazuh · GitHubx_refsource_MISC
Same Patch Batch · wazuh · 2026-04-29 · 5 CVEs total
| CVE-2026-30893 | 9.0 CRITICAL | Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and c |
| CVE-2026-26206 | 6.5 MEDIUM | Wazuh: API brute-force protection bypass via race condition in login attempt tracking |
| CVE-2026-41499 | 6.5 MEDIUM | Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string() |
| CVE-2026-28221 | 6.5 MEDIUM | Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted print_hex_string() due to sig |
IV. Related Vulnerabilities
Same product: wazuh
- CVE-2026-41499
Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in p - CVE-2026-30893
Wazuh cluster sync path traversal in decompress_files() enab - CVE-2026-28221
Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted - CVE-2026-26206
Wazuh: API brute-force protection bypass via race condition - CVE-2023-7340
Wazuh authd service (os_auth) Heap-based Buffer Overflow
Same vendor: wazuh
- CVE-2026-41499
Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in p - CVE-2026-30893
Wazuh cluster sync path traversal in decompress_files() enab - CVE-2026-28221
Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted - CVE-2026-26206
Wazuh: API brute-force protection bypass via race condition - CVE-2025-15612
Wazuh Provisioning Scripts / Build Infrastructure Improper C
V. Comments for CVE-2026-26204
No comments yet