{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25772", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.359Z", "datePublished": "2026-03-17T18:11:05.707Z", "dateUpdated": "2026-03-17T18:55:55.613Z"}, "containers": {"cna": {"title": "Wazuh Database Synchronization Vulnerable to Stack-based Buffer Overflow via snprintf Integer Underflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5"}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"version": ">= 4.4.0, < 4.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:11:05.707Z"}, "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue."}], "source": {"advisory": "GHSA-h7vp-j34v-h6j5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:55:43.472794Z", "id": "CVE-2026-25772", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:55:55.613Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25772", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T18:55:43.472794Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:55:48.713Z"}}], "cna": {"title": "Wazuh Database Synchronization Vulnerable to Stack-based Buffer Overflow via snprintf Integer Underflow", "source": {"advisory": "GHSA-h7vp-j34v-h6j5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"status": "affected", "version": ">= 4.4.0, < 4.14.3"}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5", "name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:11:05.707Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25772", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:55:55.613Z", "dateReserved": "2026-02-05T18:35:52.359Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T18:11:05.707Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "matchCriteriaId": "20E73DB8-7A42-4444-AF0C-9CC0AC810760", "versionEndExcluding": "4.14.3", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.14.3, a stack-based buffer overflow vulnerability exists in the Wazuh Database synchronization module (`wdb_delta_event.c`). The SQL query construction logic allows for an integer underflow when calculating the remaining buffer size. This occurs because the code incorrectly aggregates the return value of `snprintf`. If a specific database synchronization payload exceeds the size of the query buffer (2048 bytes), the size calculation wraps around to a massive integer, effectively removing bounds checking for subsequent writes. This allows an attacker to corrupt the stack, leading to a Denial of Service (DoS) or potentially RCE. Version 4.14.3 fixes the issue."}, {"lang": "es", "value": "Wazuh es una plataforma de c\u00f3digo abierto y gratuita utilizada para la prevenci\u00f3n, detecci\u00f3n y respuesta ante amenazas. A partir de la versi\u00f3n 4.4.0 y antes de la versi\u00f3n 4.14.3, existe una vulnerabilidad de desbordamiento de b\u00fafer basado en pila en el m\u00f3dulo de sincronizaci\u00f3n de la base de datos de Wazuh ('wdb_delta_event.c'). La l\u00f3gica de construcci\u00f3n de consultas SQL permite un desbordamiento negativo de enteros al calcular el tama\u00f1o restante del b\u00fafer. Esto ocurre porque el c\u00f3digo agrega incorrectamente el valor de retorno de `snprintf`. Si una carga \u00fatil de sincronizaci\u00f3n de base de datos espec\u00edfica excede el tama\u00f1o del b\u00fafer de consulta (2048 bytes), el c\u00e1lculo del tama\u00f1o se desborda a un entero masivo, eliminando efectivamente la verificaci\u00f3n de l\u00edmites para escrituras posteriores. Esto permite a un atacante corromper la pila, lo que lleva a una denegaci\u00f3n de servicio (DoS) o potencialmente a RCE. La versi\u00f3n 4.14.3 corrige el problema."}], "id": "CVE-2026-25772", "lastModified": "2026-03-19T17:15:43.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-17T19:16:01.260", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-h7vp-j34v-h6j5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-191"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.0,4.14.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wazuh", "source": "cna", "vendor": "wazuh"}, "product": "wazuh", "vendor": "wazuh"}], "analysis": {"en": {"generated_at": "2026-03-19T18:26:23.540049+00:00", "value": {"mitigation_remediation": ["Upgrade Wazuh to version 4.14.3 or later to apply the patch that fixes the integer underflow and stack overflow.", "Restart the Wazuh manager and monitor logs for any sync errors after upgrade."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vendors: Wazuh. Product: wazuh. Affected versions: all releases starting with 4.4.0 up through 4.14.2. Version 4.14.3 contains the fix. The issue exists in the database synchronization component that handles external sync payloads.", "description_and_impact": "An integer underflow occurs in the Wazuh Database synchronization module (wdb_delta_event.c) when constructing an SQL query using snprintf. The code incorrectly aggregates the return value, allowing the remaining buffer size calculation to wrap around to a very large integer if the payload exceeds 2048 bytes. This removes bounds checking for subsequent writes, corrupting the stack. The overflow can cause a Denial of Service or, in the worst case, Remote Code Execution. The vulnerability maps to CWE-121 (Stack-Based Buffer Overflow) and CWE-191 (Integer Underrun).", "risk_and_exploitability": "The CVSS score of 4.9 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack requires an attacker to supply an oversized synchronization payload, which could be delivered remotely if the sync interface is exposed or locally if the attacker has access to the database replication process. Based on the description, the likely attack vector is remote API or inter-node communication, but explicit vector data is not provided."}}}}, "created": "2026-03-18T12:13:00.597212+00:00", "updated": "2026-03-24T10:48:55.381137+00:00", "vendors": ["wazuh", "wazuh$PRODUCT$wazuh"]}