Skip to main content
Mallory
Back to vulnerabilities
High

Pacemaker CIB Remote Listener DoS via Integer Overflow in Remote Message Decompression

IdentifiersCVE-2026-10649CWE-190· Integer Overflow or Wraparound

CVE-2026-10649 is an integer overflow vulnerability in Pacemaker’s remote message decompression logic affecting the pre-authentication handling path for remote messages. The flaw is reported in pcmk__remote_message_xml() in lib/common/remote.c, reachable via the CIB remote listener path in daemons/based/based_remote.c. Attacker-controlled remote message header fields, including payload_offset, payload_compressed, and payload_uncompressed, are used in size calculations without sufficient bounds and consistency validation. Specifically, calculations such as 1 + header->payload_uncompressed and header->payload_offset + size_u can wrap, causing allocation of a destination buffer smaller than intended before BZ2_bzBuffToBuffDecompress() is invoked. A specially crafted compressed remote message sent before authentication can therefore trigger memory corruption in the listener process. The demonstrated outcome is a crash of the CIB remote listener, resulting in denial of service.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to corrupt memory in the Pacemaker CIB remote listener and crash the affected service, causing denial of service. Red Hat assigned CVSS v3.1 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). The demonstrated impact is service instability and listener termination. While only DoS was established in the available reporting, limited confidentiality or integrity effects from in-memory corruption were not fully ruled out, and further memory-corruption consequences were noted as theoretically possible, though remote code execution was considered unlikely and not demonstrated.

Mitigation

If you can’t patch tonight, do this now.

If the CIB remote listener is not required, disable it. If it must remain enabled, restrict inbound network access to the configured remote-port or remote-tls-port so only trusted peers can reach it, for example with host-based or network firewalls. The provided content also notes that a Pacemaker service restart may be necessary for mitigation changes to fully apply.

Remediation

Patch, then assume compromise.

Apply the upstream/vendor fix for CVE-2026-10649. The available content indicates patches were published upstream in ClusterLabs Pacemaker pull request #4128. Deploy updated Pacemaker packages from the relevant vendor once available for affected platforms. Because the flaw is in pre-authentication remote message parsing, remediation should prioritize any systems exposing the CIB remote listener on configured remote-port or remote-tls-port.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cvefeed high severityNews
Jun 16, 2026
CVE-2026-10649 - Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression

An integer overflow vulnerability in Pacemaker's remote message decompression process that can be exploited pre-authentication by a remote attacker to cause memory corruption and denial of service in the CIB remote listener.

Read more
openwallNews
Jun 16, 2026
oss-security - Pacemaker: Denial of Service via integer overflow in remote message decompression (CVE-2026-10649)

An unauthenticated remote integer overflow vulnerability in Pacemaker's remote message decompression path that can cause memory corruption and denial of service in the CIB remote listener before authentication.

Read more
redhat accessNews
Jan 1, 2021
CVE-2026-10649 - Red Hat Customer Portal

An important integer overflow vulnerability in Pacemaker's remote message decompression process that can be triggered pre-authentication over the network, causing memory corruption and denial of service in the CIB remote listener.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-10649
NVD
nvd.nist.gov/vuln/detail/CVE-2026-10649
MITRE CWE · CWE-190
Integer Overflow or Wraparound
openwall.com
openwall.com/lists/oss-security/2026/06/16/6
access.redhat.com
access.redhat.com/security/cve/CVE-2026-10649
bugzilla.redhat.com
bugzilla.redhat.com/show_bug.cgi?id=2462817
github.com
github.com/clusterLabs/pacemaker/pull/4128