Cyber Posture

CVE-2026-35091

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0073 72.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an…

more

out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through vendor patches directly fixes the wrong return value vulnerability in Corosync's membership commit token sanity check, preventing exploitation.

SI-10 Information Input Validation good match
prevent

Information input validation ensures proper checking of UDP packets, directly addressing the flawed sanity check that allows crafted packets to trigger out-of-bounds reads.

SC-5 Denial-of-service Protection good match
prevent

Denial-of-service protection limits the impact of crafted UDP packets causing service crashes in Corosync's default totemudp/totemudpu mode.

Security SummaryAI

CVE-2026-35091 is a wrong return value vulnerability in the Corosync membership commit token sanity check. A remote unauthenticated attacker can exploit it by sending a specially crafted User Datagram Protocol (UDP) packet, triggering an out-of-bounds read. This flaw affects Corosync when running in its default totemudp/totemudpu mode and can result in a denial of service (DoS) or the disclosure of limited memory contents. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-253.

A remote unauthenticated attacker with network access to a vulnerable Corosync instance can exploit this issue without requiring privileges or user interaction. Exploitation involves transmitting a malicious UDP packet that bypasses the sanity check, leading to an out-of-bounds read. This primarily causes a DoS by crashing the service due to high availability impact, while potentially leaking limited memory contents as reflected in the low confidentiality score.

Red Hat advisories provide mitigations through patches in errata RHSA-2026:13644, RHSA-2026:13657, and RHSA-2026:13673. Further details on the vulnerability and remediation are documented on the Red Hat security page at https://access.redhat.com/security/cve/CVE-2026-35091 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2453169.

Details

CWE(s)
CWE-253

Affected Products

corosync
corosync
all versions
redhat
openshift
4.0
redhat
enterprise linux
10.0, 7.0, 8.0, 9.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote unauthenticated exploitation of a network-exposed service (Corosync over UDP) to cause application crash (DoS), directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References