CVE Catalog

CVE-2026-10649

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

A flaw was found in Pacemaker where an integer overflow in the remote message decompression process allows an unauthenticated attacker to send a crafted compressed message before authentication. This causes memory corruption and a denial of service (DoS) in the CIB remote listener, leading to service crash.

Risk Assessment

The risk is a remote unauthenticated DoS attack that can disrupt Pacemaker cluster management services, potentially affecting the availability of critical systems.

Recommendation

Immediately update Pacemaker to the latest patched version. If not possible, restrict access to ports used by the CIB remote listener to trusted networks only.

Original NVD description (English source)

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS