PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44251 wazuh CVE debrief

CVE-2026-44251 is a remote denial of service vulnerability in Wazuh versions 3.0.0 and above, prior to 4.14.5. A size_t integer underflow in os_crypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately disconnecting all agents from the manager. A second code path reached by the same underflow may allow heap memory corruption. The issue has been fixed in version 4.14.5. Users of affected versions should apply the patch and monitor for signs of exploitation.

Vendor
wazuh
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Wazuh versions 3.0.0 and above, prior to 4.14.5, should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and operators responsible for Wazuh installations.

Technical summary

A size_t integer underflow in os_crypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately disconnecting all agents from the manager. A second code path reached by the same underflow may allow heap memory corruption. The vulnerability affects Wazuh versions 3.0.0 and above, prior to 4.14.5. The issue has been fixed in version 4.14.5. This vulnerability can be exploited by any enrolled Wazuh agent, and users of affected versions should apply the patch and monitor for signs of exploitation. It is recommended that administrators and security teams review and verify the affected scope and severity with the vendor, and implement compensating controls to detect and prevent exploitation.

Defensive priority

Medium

Recommended defensive actions

  • Inventory Wazuh installations to identify those that are vulnerable.
  • Apply the patch from version 4.14.5 to fix the vulnerability.
  • Monitor Wazuh logs for signs of exploitation.
  • Implement compensating controls to detect and prevent exploitation.
  • Review and verify the affected scope and severity with the vendor.
  • Track exceptions and retest remediated assets.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-17T02:18:05.973Z and has not been modified since then. The NVD entry is currently 6.5 MEDIUM. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects Wazuh versions 3.0.0 and above, prior to 4.14.5.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:05.973Z and has not been modified since then.