CVE-2026-10649

Publié : 16 juin 2026

Modifié : 16 juin 2026

Score CVSS

8.6

HIGH

Description détaillée

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Références et Patchs

https://access.redhat.com/security/cve/CVE-2026-10649 https://bugzilla.redhat.com/show_bug.cgi?id=2462817 https://github.com/clusterLabs/pacemaker/pull/4128 http://www.openwall.com/lists/oss-security/2026/06/16/6

Dernières Vulnérabilités

CVE-2026-53866

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

VOIR DÉTAILS

CVE-2026-53865

OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.

VOIR DÉTAILS

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

VOIR DÉTAILS