A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00989.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Red Hat Red Hat Enterprise Linux 10 affected
Version Status Constraints
0:3.1.9-2.el10_1.1 unaffected < *
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support affected
Version Status Constraints
0:3.1.9-1.el10_0.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8 affected
Version Status Constraints
0:3.1.8-1.el8_10.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support affected
Version Status Constraints
0:3.1.0-3.el8_4.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On affected
Version Status Constraints
0:3.1.0-3.el8_4.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support affected
Version Status Constraints
0:3.1.5-2.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service affected
Version Status Constraints
0:3.1.5-2.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions affected
Version Status Constraints
0:3.1.5-2.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service affected
Version Status Constraints
0:3.1.7-1.el8_8.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions affected
Version Status Constraints
0:3.1.7-1.el8_8.1 unaffected < *
Red Hat Red Hat Enterprise Linux 9 affected
Version Status Constraints
0:3.1.9-2.el9_7.1 unaffected < *
Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions affected
Version Status Constraints
0:3.1.5-3.el9_0.1 unaffected < *
Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions affected
Version Status Constraints
0:3.1.7-1.el9_2.1 unaffected < *
Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support affected
Version Status Constraints
0:3.1.8-1.el9_4.1 unaffected < *
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support affected
Version Status Constraints
0:3.1.9-2.el9_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 7 affected
Red Hat Red Hat OpenShift Container Platform 4 affected

Configuration 1 [-]

OR cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Corosync Subscribe
Corosync Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Openshift Container Platform Subscribe

Project Subscriptions

Vendors Products
Corosync Subscribe
Corosync Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Enterprise Linux Eus Subscribe
Openshift Subscribe
Openshift Container Platform Subscribe
Rhel Aus Subscribe
Rhel E4s Subscribe
Rhel Eus Subscribe
Rhel Eus Long Life Subscribe
Rhel Tus Subscribe
Advisories
Source ID Title
Debian DSA Debian DSA DSA-6261-1 corosync security update
Ubuntu USN Ubuntu USN USN-8170-1 Corosync vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

Systems using totemudp or totemudpu should migrate to the supported knet transport and enable encryption. Disabling the Corosync service is a valid workaround if clustering is not required, but for active clusters, enabling encryption via knet is the preferred and recommended approach.

References
Link Providers
https://access.redhat.com/errata/RHSA-2026:13644 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:13657 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:13673 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14205 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14210 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14211 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14212 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14213 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14214 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14215 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14216 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2026-35091 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2453169 cve-icon cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2453813 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-35091 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-35091 cve-icon
History

Wed, 13 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration. A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/a:redhat:rhel_e4s:9.0::highavailability
cpe:/a:redhat:rhel_e4s:9.0::resilientstorage
cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_e4s:9.2::highavailability
cpe:/a:redhat:rhel_e4s:9.2::resilientstorage
References

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/a:redhat:rhel_eus:9.4::highavailability
cpe:/a:redhat:rhel_eus:9.4::resilientstorage
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
cpe:/a:redhat:rhel_eus:9.6::highavailability
cpe:/a:redhat:rhel_eus:9.6::resilientstorage
Vendors & Products Redhat rhel Eus
References

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus Long Life
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.4::highavailability
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::highavailability
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:8.8::highavailability
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.6::highavailability
cpe:/a:redhat:rhel_tus:8.8::appstream
cpe:/a:redhat:rhel_tus:8.8::highavailability
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus Long Life
Redhat rhel Tus
References

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/a:redhat:enterprise_linux:9::highavailability
cpe:/a:redhat:enterprise_linux:9::resilientstorage
References

Tue, 05 May 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:8::crb
cpe:/a:redhat:enterprise_linux:8::highavailability
cpe:/a:redhat:enterprise_linux:8::resilientstorage
References

Tue, 05 May 2026 10:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Corosync
Corosync corosync
Redhat openshift Container Platform
Vendors & Products Corosync
Corosync corosync
Redhat openshift Container Platform

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
Title Corosync: corosync: denial of service and information disclosure via crafted udp packet
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-253
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-13T07:59:08.889Z

Reserved: 2026-04-01T11:35:23.145Z

Link: CVE-2026-35091

cve-icon Vulnrichment

Updated: 2026-04-01T20:29:29.178Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T14:16:57.040

Modified: 2026-05-13T08:16:16.357

Link: CVE-2026-35091

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T11:48:13Z

Links: CVE-2026-35091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:30:26Z

Weaknesses