CVE-2026-25790

Name of the Vulnerable Software and Affected Versions Wazuh versions 3.9.0 through 4.14.2

Description Wazuh is a platform used for threat prevention, detection, and response. Multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (wazuh-analysisd). The use of sprintf with a floating-point (%lf) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack. A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential remote code execution (RCE) on the Wazuh manager. The vulnerability is located in /src/analysisd/decoders/security configuration assessment.c, within the FillScanInfo and FillCheckEventInfo functions. The issue occurs when processing floating-point numbers with large exponents within JSON events, as the sprintf function attempts to write a string representation exceeding the allocated buffer size (char value[OS SIZE 128];).

Recommendations Wazuh versions prior to 4.14.3 should be updated to version 4.14.3 or later.