CVE-2026-10649
HIGH · 8.6Fresh disclosure, aggregator noise dominates; no PoC or active exploitation signals yet.
What: Integer overflow in Pacemaker's remote message decompression allowing unauthenticated DoS via memory corruption (CVSS 8.6 HIGH).
Why it matters: Published 16 June 2026 with no KEV listing yet. Posts are aggregator/feed repeats of NVD data within hours of publication—no PoC, no vendor advisory signals, no defender triage reports. Standard disclosure chatter only.
Where it's seen: Automated social feeds republishing CVE feeds and vulnerability aggregator content. No original security research, no patch announcements, no in-the-wild reports.
RISK: HIGH — Unauthenticated remote DoS affecting cluster infrastructure (Pacemaker); pre-auth exploitation path.
Description
A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- Low
- Integrity
- Low
- Availability
- High