PatchSiren cyber security CVE debrief
CVE-2026-40106 wazuh CVE debrief
A heap-based buffer overflow vulnerability exists in the syscheck component of the Wazuh agent for Windows, versions 4.6.0 and above prior to 4.14.5. The vulnerability occurs when expanding registry paths containing wildcards (* or ?). A low-privileged local attacker can force an out-of-bounds write during string concatenation, potentially leading to a Denial of Service (DoS) or Local Privilege Escalation (LPE). The vulnerability has been fixed in version 4.14.5. This issue can lead to a silent Denial of Service (blinding the agent) or potentially Local Privilege Escalation (LPE) since wazuh-agent.exe runs as NT AUTHORITY SYSTEM.
- Vendor
- wazuh
- Product
- Unknown
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
System administrators and security teams responsible for Wazuh agent installations on Windows systems should prioritize patching to prevent potential exploitation. They should review the current configurations, verify the syscheck component is enabled, and ensure proper monitoring for suspicious activity related to the Wazuh agent.
Technical summary
The Wazuh agent for Windows, versions 4.6.0 and above prior to 4.14.5, contains a heap-based buffer overflow vulnerability in the syscheck component. The vulnerability is triggered when expanding registry paths with wildcards, allowing a low-privileged local attacker to cause an out-of-bounds write. This could result in a silent Denial of Service or potentially Local Privilege Escalation. The vulnerability has been fixed in version 4.14.5. The issue arises from allocating a fixed-size heap buffer of 256 bytes (OS_SIZE_256) when expanding registry paths containing wildcards (* or ?). By creating a registry subkey with a maximum allowed length (255 characters) inside a monitored path, an attacker can exploit this vulnerability.
Defensive priority
High
Recommended defensive actions
- Apply the patch by upgrading to Wazuh version 4.14.5 or later.
- Conduct a thorough inventory of Wazuh agent installations on Windows systems to identify potential vulnerabilities.
- Implement compensating controls, such as monitoring for suspicious activity related to the Wazuh agent.
- Verify that the Wazuh agent is properly configured and that the syscheck component is enabled.
- Review relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-17T02:18:05.780Z and has not been modified since then. The NVD entry is currently 4.7, MEDIUM. The Wazuh agent for Windows, versions 4.6.0 and above prior to 4.14.5, contains a heap-based buffer overflow vulnerability in the syscheck component. This vulnerability occurs when expanding registry paths containing wildcards (* or ?). A low-privileged local attacker can force an out-of-bounds write during string concatenation, potentially leading to a Denial of Service (DoS) or Local Privilege Escalation (LPE). The vulnerability has been fixed in version 4.14.5. Evidence limits suggest verifying Wazuh agent installations and configurations.
Official resources
-
CVE-2026-40106 CVE record
CVE.org
-
CVE-2026-40106 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:05.780Z and has not been modified since then.