CVE-2026-56401

Severity CVSS v4.0:
HIGH
Type:
CWE-476 NULL Pointer Dereference
Publication date:
08/07/2026
Last modified:
09/07/2026

Description

Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventory_sync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting the optional id field, causing wazuh-modulesd to crash when dereferencing data->id()->string_view() without null validation, resulting in denial of service.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* 5.0.0 (excluding)
cpe:2.3:a:wazuh:wazuh:5.0.0:alpha0:*:*:*:*:*:*
cpe:2.3:a:wazuh:wazuh:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:wazuh:wazuh:5.0.0:beta2:*:*:*:*:*:*