Integer Overflow Vulnerability in Pacemaker Affects Remote Message Processing
CVE-2026-10649

8.6HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
16 June 2026

What is CVE-2026-10649?

A vulnerability exists in Pacemaker that permits unauthenticated remote attackers to exploit an integer overflow in the remote message decompression process. By sending a specially crafted compressed message before authentication, the attacker can trigger memory corruption. This flaw can lead to a denial of service condition within the CIB remote listener, resulting in the service crashing and potentially impairing operations.

References

https://access.redhat.com/security/cve/CVE-2026-10649
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2462817
issue-trackingx_refsource_REDHAT
https://github.com/clusterLabs/pacemaker/pull/4128

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Found by AISLE in partnership with Red Hat.
.