How is CVE-2026-10649 exploited?

Network reachability (required): The attacker must reach the Pacemaker CIB remote listener over the network; exposure to any network path that can connect to the listener port is sufficient. Authentication (not-required): The vulnerable decompression code executes before any authentication check, so no credentials or account of any kind are needed. Victim interaction (not-required): No action by an operator or user is required; the attacker sends a crafted message and the crash occurs without any victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental preconditions.

What is the impact of CVE-2026-10649?

Crashes the Pacemaker CIB remote listener process, taking down cluster configuration management on the affected node. Disrupts high-availability cluster coordination, which can trigger uncontrolled failover or leave cluster resources unmanaged. Confidentiality and integrity of cluster state may be partially affected due to the memory corruption that precedes the crash.

Back to search

HIGHCVE-2026-10649Published 2026-06-16Modified 2026-06-16CNA redhat

CVE-2026-10649: Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 6

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in Pacemaker's remote message decompression path allows an unauthenticated attacker to send a specially crafted compressed message over the network, triggering memory corruption in the CIB remote listener before any authentication check occurs. Successful exploitation crashes the affected service, causing a denial of service in the Pacemaker cluster infrastructure manager. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-10649 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Pacemaker or its libraries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 8.6 (HIGH) and weighting it against each customer organization's compliance policy to surface it in the appropriate team inbox, with no manual feed subscription required.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Red Hat or the upstream Pacemaker project ships a corrected package. In the interim, compensating controls such as network-policy isolation of the CIB remote listener port are surfaced as advisory guidance within the platform.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Pacemaker CIB remote listener over the network; exposure to any network path that can connect to the listener port is sufficient.
AuthenticationNot required
The vulnerable decompression code executes before any authentication check, so no credentials or account of any kind are needed.
Victim interactionNot required
No action by an operator or user is required; the attacker sends a crafted message and the crash occurs without any victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental preconditions.

Blast Radius

Crashes the Pacemaker CIB remote listener process, taking down cluster configuration management on the affected node.
Disrupts high-availability cluster coordination, which can trigger uncontrolled failover or leave cluster resources unmanaged.
Confidentiality and integrity of cluster state may be partially affected due to the memory corruption that precedes the crash.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10649 at this time, the platform monitors the Red Hat and upstream Pacemaker advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a corrected package version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, HarborGuard surfaces compensating-control guidance including network-policy rules to restrict access to the Pacemaker CIB remote listener port to known cluster peers only, and egress filtering to reduce the attack surface of nodes running affected Pacemaker versions. Where compliance policy permits, affected images are flagged at the pipeline gate to prevent promotion of vulnerable builds to production until a fix is available.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9
Red Hat / Red Hat OpenShift Container Platform 4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

References

Metrics

Get notified