CVE-2026-10649

HIGH 8.6

Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

CWE	CWE-190
Vendor	red hat
Product	red hat enterprise linux 10
Published	Jun 16, 2026
Last Updated	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for red hat red hat enterprise linux 10

Be the first to know when new high vulnerabilities affecting red hat red hat enterprise linux 10 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Affected Versions

Red Hat / Red Hat Enterprise Linux 10

All versions affected

Red Hat / Red Hat Enterprise Linux 6

All versions affected

Red Hat / Red Hat Enterprise Linux 7

All versions affected

Red Hat / Red Hat Enterprise Linux 8

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat OpenShift Container Platform 4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-10649 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2462817 github.com: https://github.com/clusterLabs/pacemaker/pull/4128 openwall.com: http://www.openwall.com/lists/oss-security/2026/06/16/6

Credits

This issue was discovered by Found by AISLE in partnership with Red Hat.