CVE-2026-40106 in Wazuh
Summary
by MITRE • 07/17/2026
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards (* or ?), the agent allocates a fixed-size heap buffer of 256 bytes (OS_SIZE_256). By creating a registry subkey with a maximum allowed length (255 characters) inside a monitored path, a low-privileged local attacker can force an out-of-bounds write during string concatenation. Since wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, this can lead to a silent Denial of Service (blinding the agent) or potentially Local Privilege Escalation (LPE). This issue has been fixed in version 4.14.5.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability under discussion represents a critical heap-based buffer overflow affecting Wazuh agent versions 4.6.0 through 4.14.4, specifically within the syscheck component designed for Windows environments. This flaw exists in the registry path expansion mechanism that processes wildcard characters such as asterisks and question marks, creating an exploitable condition where insufficient input validation leads to memory corruption during string operations. The vulnerability is particularly concerning because Wazuh agent operates with elevated privileges as NT AUTHORITY\SYSTEM, making successful exploitation potentially devastating for system security and availability.
The technical implementation of this vulnerability stems from a fixed-size heap buffer allocation of exactly 256 bytes designated as OS_SIZE_256 within the Windows registry monitoring functionality. When processing registry paths containing wildcards, the agent performs string concatenation operations without adequate bounds checking against the predetermined buffer size limit. An attacker can craft a malicious registry subkey with a name approaching the maximum allowed length of 255 characters, specifically designed to overflow the allocated 256-byte buffer during subsequent processing operations. This overflow occurs through improper handling of string expansion and concatenation logic that fails to account for the actual memory requirements needed to accommodate expanded registry paths containing wildcards.
The operational impact of this vulnerability extends beyond simple denial of service conditions, presenting significant risks for system integrity and security posture. The silent denial of service scenario effectively blinds the Wazuh agent by causing it to crash or become unresponsive, thereby eliminating crucial threat detection capabilities for the monitored Windows system. However, the more severe implications involve potential local privilege escalation opportunities due to the elevated execution context of wazuh-agent.exe running as SYSTEM. Attackers could theoretically leverage this condition to execute arbitrary code with system-level privileges, potentially compromising entire network infrastructures where Wazuh agents are deployed across critical assets.
This vulnerability aligns with CWE-121, heap-based buffer overflow, and represents a classic example of insufficient bounds checking in memory management operations. From an ATT&CK framework perspective, the exploitation pathway maps to privilege escalation techniques through process manipulation and memory corruption attacks, specifically targeting T1068 (Local Privilege Escalation) and T1566 (Phishing with Social Engineering). The attack vector requires local access and low-privileged user accounts since the vulnerable behavior occurs during normal registry monitoring operations that do not require administrative privileges to trigger. Organizations should prioritize immediate patching of affected Wazuh installations to version 4.14.5 or later, as this release implements proper bounds checking and input validation measures to prevent buffer overflow conditions during registry path expansion operations, thereby eliminating the risk of both denial of service and privilege escalation attacks.
The fix implemented in version 4.14.5 addresses the root cause by introducing dynamic memory allocation that properly accounts for expanded registry paths containing wildcards, rather than relying on fixed-size buffers that cannot accommodate variable-length inputs. Additional mitigations include enhanced input sanitization routines and improved error handling mechanisms that prevent malformed registry entries from causing memory corruption during system monitoring operations. Security teams should also consider implementing network-based monitoring to detect anomalous registry access patterns that might indicate exploitation attempts targeting this specific vulnerability, particularly in environments where Wazuh agents monitor high-value registry locations containing sensitive system information.