CVE-2026-10649
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
A flaw was found in Pacemaker where an integer overflow in the remote message decompression process allows an unauthenticated attacker to send a crafted compressed message before authentication. This causes memory corruption and a denial of service (DoS) in the CIB remote listener, leading to service crash.
Risk Assessment
The risk is a remote unauthenticated DoS attack that can disrupt Pacemaker cluster management services, potentially affecting the availability of critical systems.
Recommendation
Immediately update Pacemaker to the latest patched version. If not possible, restrict access to ports used by the CIB remote listener to trusted networks only.
Original NVD description (English source)
A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

