PatchSiren cyber security CVE debrief

CVE-2026-32984 Wazuh CVE debrief

A heap-buffer overflow vulnerability exists in Wazuh's authentication daemon (authd). The flaw allows remote attackers to send specially crafted input that causes memory corruption and malformed heap data. Successful exploitation results in a denial of service condition affecting availability of the authentication service. The vulnerability is rated MEDIUM severity with a CVSS score of 5.3. Affected versions include Wazuh up to 3.5.0 and version 4.3.10 specifically. The underlying weakness is identified as CWE-125 (Out-of-bounds Read). The CVE was published on March 27, 2026 and last modified on May 26, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Wazuh
Product: Unknown
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-27
Original CVE updated: 2026-05-26
Advisory published: 2026-03-27
Advisory updated: 2026-05-26

Who should care

Security teams operating Wazuh security monitoring platforms, system administrators managing Wazuh agent authentication infrastructure, and organizations relying on Wazuh for endpoint detection and response should prioritize assessment and patching. Network defenders responsible for availability of security infrastructure services should monitor for potential denial of service conditions affecting authentication capabilities.

Technical summary

The vulnerability resides in Wazuh's authentication daemon (authd), where improper handling of specially crafted input leads to a heap-buffer overflow. This memory safety issue causes heap data corruption and can trigger daemon crashes, resulting in denial of service. The attack requires network access to the authd service and user interaction, with low complexity for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L) reflects network accessibility, no privilege requirements, user interaction dependency, and low availability impact. The vulnerability is classified under CWE-125 (Out-of-bounds Read).

Defensive priority

medium

Recommended defensive actions

Review Wazuh authd configurations and assess exposure of authentication daemon to untrusted networks
Apply vendor patches or updates addressing CVE-2026-32984 when available from Wazuh
Monitor Wazuh authd process stability and logs for anomalous termination or memory-related errors
Consider network segmentation to limit access to Wazuh authd service
Review VulnCheck advisory for additional technical details and mitigation guidance

Evidence notes

The NVD record identifies affected CPE configurations including wazuh:wazuh versions up to 3.5.0 and specifically version 4.3.10. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and user interaction required. Availability impact is rated low. The weakness enumeration cites CWE-125 from [email protected] as a secondary source.

Official resources

CVE-2026-32984 CVE record
CVE.org
CVE-2026-32984 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Broken Link
Mitigation or vendor reference
[email protected] - Third Party Advisory

The vulnerability was disclosed through VulnCheck and is tracked in the National Vulnerability Database. A third-party advisory is available from VulnCheck detailing the heap-buffer overflow condition in Wazuh authd.