2462817 – (CVE-2026-10649) CVE-2026-10649 pacemaker: Pacemaker: Denial of Service via integer overflow in remote message decompression

Bug 2462817 (CVE-2026-10649) - CVE-2026-10649 pacemaker: Pacemaker: Denial of Service via integer overflow in remote message decompression

Summary: CVE-2026-10649 pacemaker: Pacemaker: Denial of Service via integer overflow i...

Keywords:
Status:	NEW
Alias:	CVE-2026-10649
Deadline:	2026-06-16
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2489310
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-26 20:09 UTC by OSIDB Bzimport
Modified:	2026-06-16 16:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-26 20:09:59 UTC

AI_ONLY_REPORT
package: pacemaker-3.0.1-5.el10
------
Summary: Integer Overflow in Remote Message Decompression: crafted pre-auth  
compressed remote messages can wrap size calculations before allocation,  
leading to memory corruption and denial of service in the CIB remote  
listener.
Requirements to exploit: Network reachability to a `pacemaker-based` CIB  
remote listener configured with `remote-port` or `remote-tls-port`, and the  
ability to send a crafted compressed remote message before authentication.  
The reproduction below demonstrates the fault on a 32-bit build with a  
memory sanitizer.
Component affected: `pacemaker-3.0.1-5.el10`, `lib/common/remote.c`,  
`pcmk__remote_message_xml()`, with the pre-auth call path through the CIB  
remote listener in `daemons/based/based_remote.c`
Version affected: `pacemaker-3.0.1-5.el10` when the CIB remote listener is  
enabled; the supplied reproduction demonstrates impact on a 32-bit build
Patch available: no released package fix established; proposed patch  
included below
Version fixed: unknown
Upstream coordination: Not notified.
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 (HIGH)
AV:N - The vulnerable parser is reachable over the network when the CIB  
remote listener is enabled.
AC:L - The malformed header values and compressed payload are  
straightforward to construct.
PR:N - The message is parsed before authentication.
UI:N - No user interaction is required.
S:U - The demonstrated impact is within the scope of the service  
handling the remote message.
C:N - The available evidence does not establish unauthorized disclosure  
of data.
I:N - The available evidence does not establish unauthorized  
modification of data.
A:H - A crafted message can trigger memory corruption and crash the  
service during decompression.
Impact: Important. Red Hat classifies flaws that allow remote users to  
cause a denial of service as Important. Here, an unauthenticated network  
client can reach the vulnerable parser before authentication and trigger a  
crash where the CIB remote listener is enabled. This is not Critical  
because the available evidence supports availability impact, not  
unauthenticated code execution or broader system compromise.
Embargo: yes
Reason: The issue is pre-auth and network-reachable when the listener  
is enabled, the malformed packet is straightforward to build, and no  
released fix is established yet.
Acknowledgement: Aisle Research
Vulnerability Details: In the remote message decompression path,  
attacker-controlled header values are used in size calculations before  
allocation:
```c
if (header->payload_compressed) {
int rc = 0;
unsigned int size_u = 1 + header->payload_uncompressed;
char *uncompressed =
pcmk__assert_alloc(1, header->payload_offset + size_u);
...
rc = BZ2_bzBuffToBuffDecompress(uncompressed + header->payload_offset,  
&size_u,
remote->buffer + header->payload_offset,
header->payload_compressed, 1, 0);
```
`payload_offset`, `payload_compressed`, and `payload_uncompressed` are  
taken from the received remote message header, and there are no preceding  
bounds or consistency checks on these fields before `size_u` and the  
allocation length are derived. A crafted message can therefore cause `1 +  
payload_uncompressed` or `payload_offset + size_u` to wrap before  
allocation, leaving a small destination buffer while the decompressor is  
still asked to produce a much larger output region.
This parsing occurs before client authentication on the CIB remote  
listener, so an unauthenticated client that can reach that listener can  
trigger the vulnerable path before `cib_remote_auth()` completes. The  
available evidence supports a denial-of-service outcome through memory  
corruption and crash. It does not establish confidentiality, integrity, or  
code-execution impact, so those effects should be treated as unproven.
Steps to reproduce:
1. Build and run a 32-bit `pacemaker-based` with ASan or another memory  
sanitizer, and enable `remote-port` or `remote-tls-port`.
2. Connect to the CIB remote listener and send one packet with  
`payload_offset = 0x00000028`, `payload_uncompressed = 0xFFFFFFC0`,  
`payload_compressed = len(bz2_payload)` where `bz2_payload =  
bz2.compress(b"A"*512 + b"\x00")`, and `size_total = payload_offset +  
payload_compressed`.
3. Send the header and `bz2_payload` as a single remote message.
4. Observe an out-of-bounds write or crash inside or immediately around  
`BZ2_bzBuffToBuffDecompress()` from `pcmk__remote_message_xml()` before  
authentication completes.
Note: `payload_uncompressed = UINT32_MAX` alone is not the best trigger.  
Values near `UINT32_MAX` that make `payload_offset + (1 +  
payload_uncompressed)` wrap are the more reliable case.
Mitigation: Disable the CIB remote listener where it is not required. If it  
must remain enabled, restrict network access to trusted peers only. These  
steps reduce exposure but do not correct the underlying validation flaw.
Proposed Fix: Validate header layout and sizes before decompression, and  
use overflow-safe arithmetic for the allocation size.
```diff
diff --git a/lib/common/remote.c b/lib/common/remote.c
@@ -300,10 +300,34 @@ pcmk_remote_message_xml(pcmk_remote_t *remote)
/* Support compression on the receiving end now, in case we ever want  
to add it later */
if (header->payload_compressed) {
int rc = 0;
       unsigned int size_u = 1 + header->payload_uncompressed;

       char *uncompressed =

           pcmk__assert_alloc(1, header->payload_offset + size_u);
+        size_t alloc_size = 0;
+        unsigned int size_u = 0;
+        char *uncompressed = NULL;
+
+        if (header->payload_offset < sizeof(struct remote_header_v0)) {
+            crm_err("Invalid remote payload offset %u",  
header->payload_offset);
+            return NULL;
+        }
+        if (((size_t) header->payload_offset + (size_t)  
header->payload_compressed)
+            != (size_t) header->size_total) {
+            crm_err("Invalid remote payload sizing");
+            return NULL;
+        }
+        if ((size_t) header->size_total > remote->buffer_offset) {
+            crm_err("Incomplete remote message buffer");
+            return NULL;
+        }
+        if (header->payload_uncompressed >= UINT_MAX) {
+            crm_err("Invalid remote uncompressed size %u",  
header->payload_uncompressed);
+            return NULL;
+        }
+
+        size_u = header->payload_uncompressed + 1U;
+        if ((size_t) header->payload_offset > (SIZE_MAX - (size_t)  
size_u)) {
+            crm_err("Remote payload size overflow");
+            return NULL;
+        }
+        alloc_size = (size_t) header->payload_offset + (size_t) size_u;
+        uncompressed = pcmk__assert_alloc(1, alloc_size);


crm_trace("Decompressing message data %d bytes into %d bytes",
header->payload_compressed, size_u);
```
------
This report was generated using AI technology. Always review AI-generated  
content prior to use

Note You need to log in before you can comment on or make changes to this bug.