Wazuh Syscollector Alert Flapping: Race Condition Triggers Hourly False Alarms for CVE Vulnerabilities

A critical alerting flaw in Wazuh's Syscollector module is causing a flood of false alarms, creating operational noise and potentially masking real threats. The issue manifests when an agent has multiple versions of the same software package installed, with only one containing a known vulnerability. In a documented case, an agent running both ASP.NET Core 8.0.12 and 8.0.16 triggered near-hourly Google Chat alerts for a CVE present only in the older version, despite the newer, patched version also being present on the system.

The core problem appears to be a race condition within the scanning logic. Evidence suggests Syscollector alternates between scanning the vulnerable and non-vulnerable packages. Depending on the sequence of these scans, the system's alerting engine toggles the CVE status between 'active' and 'resolved,' leading to repeated alert generation. This creates a predictable, high-frequency pattern of false positives, with intermittent gaps, that can overwhelm security teams and desensitize them to genuine alerts.

This bug directly impacts the reliability of Wazuh's vulnerability management and alerting subsystems, key components for enterprise security monitoring. For organizations using integrations like Google Chat, the constant noise degrades signal clarity and operational efficiency. The flaw raises significant questions about the stability of the scanning engine's state management when handling duplicate or multi-version software installations, a common scenario in development and containerized environments.