Heap-based Out-of-Bounds Write Vulnerability in Wazuh by Wazuh
CVE-2026-41499

6.5MEDIUM

Key Information:

Vendor: Wazuh
Status: Wazuh
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-41499?

Wazuh, an open-source platform for threat detection and response, is affected by multiple heap-based out-of-bounds write vulnerabilities. These vulnerabilities reside in the parse_uname_string() function, which handles OS identification data from agents. The issue arises from an unsafe code pattern that fails to verify whether input strings are empty. When an empty string is processed, the calculation of the length of the string results in unsigned integer underflow, allowing for an out-of-bounds write. Consequently, this can corrupt heap metadata, leading to potential exploitation. The issue has been addressed in Wazuh version 4.14.4.

Affected Version(s)

wazuh >= 4.0.0, < 4.14.4

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-q...

x_refsource_CONFIRM

https://github.com/wazuh/wazuh/releases/tag/v4.14.4

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41499 Data

JSON