EUVD-2026-37128
Integer Overflow or Wraparound (CWE-190)
2026-06-16
GHSA-94r4-qcg7-69qj
GHSA-94r4-qcg7-69qj
8.6
CVSS 3.1 · Vendor
Share
Severity by source
Vendor (CNA)
PRIMARY
8.6
HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
vuln.today
AI
7.5
HIGH
Pre-auth network reachable with no UI, so AV:N/AC:L/PR:N/UI:N; description only substantiates a service crash, so C:N/I:N/A:H.
3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Lifecycle Timeline
5
Source Code Evidence Fetched
Jun 16, 2026 - 17:29 vuln.today
Analysis Updated
Jun 16, 2026 - 17:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 16, 2026 - 17:22 NVD
8.6 (HIGH)
Analysis Generated
Jun 16, 2026 - 16:16 vuln.today
Description PRE-NVD
Disclosed via oss-security. NVD scoring and full description are pending.
Articles & Coverage 1
AnalysisAI
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Recon
Reach CIB remote listener on TCP/3121
Delivery
Send crafted compressed v0 header
Exploit
Overflow payload size arithmetic
Install
Undersized heap allocation for decompression
C2
BZ2 decompress corrupts heap
Execute
Pacemaker CIB listener crashes
Impact
Cluster management denial of service
Recon
Reach CIB remote listener on TCP/3121
Delivery
Send crafted compressed v0 header
Exploit
Overflow payload size arithmetic
Install
Undersized heap allocation for decompression
C2
BZ2 decompress corrupts heap
Execute
Pacemaker CIB listener crashes
Impact
Cluster management denial of service
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a Pacemaker node running the CIB remote listener or pacemaker_remote service (default TCP/3121) with remote-tls-port or remote-clear-port enabled in the CIB; no credentials, TLS client certificate, or PSK knowledge is required because the integer overflow is triggered in header parsing and decompression before the authentication handshake completes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H scores 8.6 and reflects a pre-authentication network-reachable bug with high availability impact, which is consistent with the description of a remote listener crash before authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a Pacemaker node's CIB remote listener (TCP/3121) opens a connection and sends a single crafted message whose v0 header fields (payload_offset, payload_compressed, payload_uncompressed, size_total) are chosen to overflow the destination-buffer arithmetic before BZ2 decompression. The undersized allocation and subsequent decompression corrupt heap memory, crashing the CIB remote listener and disrupting cluster management; with no public exploit identified at time of analysis, this is a one-shot DoS scenario rather than a chained intrusion. |
| Remediation | Upstream fix available (PR/commit https://github.com/clusterLabs/pacemaker/pull/4128); released patched version not independently confirmed, so administrators should track their distribution's Pacemaker package update (Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10649 and Bugzilla #2462817 at https://bugzilla.redhat.com/show_bug.cgi?id=2462817, plus the oss-security thread at https://seclists.org/oss-sec/2026/q2/944) and upgrade as soon as a tagged release or vendor errata is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory Pacemaker deployments and identify external network exposure of CIB remote listener (typically port 40000); implement firewall rules restricting listener access to trusted management networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).