CVE-2026-28221

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.8.0 through 4.14.3

Description A stack-based buffer overflow exists in the print hex string() function within wazuh-remoted. This occurs when formatting attacker-controlled bytes using sprintf() on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For instance, input bytes such as 0xFF may result in the emission of "ffffffff" instead of "ff", leading to an out-of-bounds write past a fixed 2049-byte stack buffer. This path is reachable remotely via TCP/1514 before agent authentication or registration when an oversized length prefix triggers the "unexpected message (hex)" diagnostic path. Additionally, this same unauthenticated path allows for remote log amplification by logging attacker-controlled hex dumps to /var/ossec/logs/ossec.log, which can consume disk/IO resources and degrade monitoring fidelity.

Recommendations Update to version 4.14.4.