CVE-2026-33754 in Wazuh
Summary
by MITRE • 07/17/2026
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.9.0 and above, prior to 4.14.5, a remote attacker can trigger memory exhaustion in the cluster protocol parser by sending a crafted message header with an arbitrarily large payload length. The length is trusted before authentication/decryption and used directly to allocate memory, allowing unauthenticated denial of service of the cluster service. This issue has been fixed in version 4.14.5.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described represents a critical memory exhaustion flaw in Wazuh's cluster protocol parser that affects versions 3.9.0 through 4.14.4, with the issue being resolved in version 4.14.5. This security weakness stems from improper input validation within the cluster communication mechanism where the system accepts and processes message header information without adequate authentication or decryption verification before validating the payload length parameters.
The technical flaw manifests as a lack of proper bounds checking on the payload length field contained within cluster protocol messages. When a remote attacker sends a crafted message header with an arbitrarily large payload length value, the system trusts this unauthenticated data and proceeds to allocate memory resources based on the specified size without any validation or rate limiting mechanisms. This design decision creates a direct path for denial of service attacks where malicious actors can exhaust available system memory by requesting allocations that far exceed normal operational requirements.
This vulnerability operates at the intersection of multiple cybersecurity domains including remote code execution risk, resource exhaustion attacks, and authentication bypass scenarios. The flaw falls under CWE-129: Improper Validation of Array Index and CWE-770: Allocation of Resources Without Limits or Throttling, demonstrating poor resource management practices in network protocol handling. From an operational perspective, this issue allows unauthenticated attackers to disrupt cluster services without requiring any valid credentials or encryption keys, making it particularly dangerous in environments where Wazuh clusters handle critical security monitoring functions.
The attack surface extends beyond simple denial of service as the memory exhaustion can potentially impact system stability and availability of other services running on the same infrastructure. This vulnerability aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, specifically targeting the availability aspect of the security triad by compromising the cluster service functionality. The impact is particularly severe in high-availability environments where cluster coordination is essential for effective threat detection and response operations, as the disruption can cascade to affect broader security monitoring capabilities.
Organizations should implement immediate mitigations including upgrading to Wazuh version 4.14.5 or later, which includes proper input validation and memory allocation limits for cluster protocol messages. Network-level protections such as firewall rules that restrict cluster communication to trusted sources can provide additional defense in depth. System administrators should also consider implementing monitoring for unusual memory consumption patterns and establish automated alerting mechanisms for potential exploitation attempts. The fix implemented in version 4.14.5 demonstrates proper secure coding practices by introducing validation checks before memory allocation, ensuring that payload length parameters are verified against reasonable bounds before any resource consumption occurs.