Home

Description

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-16 | Updated 2026-06-17 | Assigner redhat




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Problem types

Integer Overflow or Wraparound

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-04-26:Reported to Red Hat.
2026-06-16:Made public.

Credits

This issue was discovered by Found by AISLE in partnership with Red Hat.

References

www.openwall.com/lists/oss-security/2026/06/16/6

access.redhat.com/security/cve/CVE-2026-10649 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2462817 (RHBZ#2462817) issue-tracking

github.com/clusterLabs/pacemaker/pull/4128

cve.org (CVE-2026-10649)

nvd.nist.gov (CVE-2026-10649)

Download JSON