CVE-2026-41499

MEDIUM

Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()

Title source: cna

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.

References (2)

[X_Refsource_Confirm] https://github.com/wazuh/wazuh/security/advisories/GHSA-qvqj-p8mm-r7h3

[X_Refsource_Misc] https://github.com/wazuh/wazuh/releases/tag/v4.14.4

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 11.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-124 CWE-191

Status published

Products (1)

wazuh/wazuh >= 4.0.0, < 4.14.4

Published Apr 29, 2026

Tracked Since Apr 30, 2026