CVE-2026-41499

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.0.0 through 4.14.3

Description Multiple heap-based out-of-bounds WRITE issues exist in the parse uname string() function within remoted op.c. This function processes OS identification data from agents and contains a code pattern that writes to strlen(ptr) - 1 without verifying if strings are empty. When an empty string is processed, strlen() returns 0, causing an unsigned integer underflow where 0 - 1 wraps to SIZE MAX. This results in a write operation occurring 1 byte before the allocated buffer, which corrupts heap metadata, such as the chunk size field in glibc malloc, leading to heap corruption.

Recommendations Update to version 4.14.4.