Description
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
Published: 2026-04-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote unauthenticated attacker can trigger Corosync to perform an out‑of‑bounds read by sending a specially crafted User Datagram Protocol packet that exploits a wrong return value in the Corosync membership commit token sanity check. This leads to a denial of service and potentially discloses limited in‑memory data. The flaw is a classic instance of an invalid function return value weakness, identified as CWE‑253.

Affected Systems

The flaw affects Corosync deployments that use the default totemudp/totemudpu transport, which is shipped with Red Hat Enterprise Linux 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4. No specific version numbers are provided, so all standard builds that rely on the default UDP transport are potentially impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while an EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is remotely exploitable over the network via UDP traffic directed at Corosync’s communication channel—though the precise port is not disclosed, the typical Corosync UDP endpoint is implied. Because no widespread exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog, the current exposure risk is moderate, but the potential impact of a service crash or memory leakage warrants immediate countermeasures.

Generated by OpenCVE AI on May 13, 2026 at 09:21 UTC.

Remediation

Vendor Workaround

Systems using totemudp or totemudpu should migrate to the supported knet transport and enable encryption. Disabling the Corosync service is a valid workaround if clustering is not required, but for active clusters, enabling encryption via knet is the preferred and recommended approach.

OpenCVE Recommended Actions

  • Migrate Corosync to the KNET transport and enable encryption as recommended by the vendor
  • If clustering is not required, stop and disable the Corosync service to prevent the vulnerability from being exploitable
  • Monitor network traffic for unexpected or malformed UDP packets targeting Corosync's port to detect attempted exploitation
  • Apply any vendor‑released patch for Corosync when it becomes available

Generated by OpenCVE AI on May 13, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6261-1 corosync security update
Ubuntu USN Ubuntu USN USN-8170-1 Corosync vulnerabilities
History

Wed, 13 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration. A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/a:redhat:rhel_e4s:9.0::highavailability
cpe:/a:redhat:rhel_e4s:9.0::resilientstorage
cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_e4s:9.2::highavailability
cpe:/a:redhat:rhel_e4s:9.2::resilientstorage
References

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/a:redhat:rhel_eus:9.4::highavailability
cpe:/a:redhat:rhel_eus:9.4::resilientstorage
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
cpe:/a:redhat:rhel_eus:9.6::highavailability
cpe:/a:redhat:rhel_eus:9.6::resilientstorage
Vendors & Products Redhat rhel Eus
References

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus Long Life
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.4::highavailability
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::highavailability
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:8.8::highavailability
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.6::highavailability
cpe:/a:redhat:rhel_tus:8.8::appstream
cpe:/a:redhat:rhel_tus:8.8::highavailability
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus Long Life
Redhat rhel Tus
References

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/a:redhat:enterprise_linux:9::highavailability
cpe:/a:redhat:enterprise_linux:9::resilientstorage
References

Tue, 05 May 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:8::crb
cpe:/a:redhat:enterprise_linux:8::highavailability
cpe:/a:redhat:enterprise_linux:8::resilientstorage
References

Tue, 05 May 2026 10:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Corosync
Corosync corosync
Redhat openshift Container Platform
Vendors & Products Corosync
Corosync corosync
Redhat openshift Container Platform

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
Title Corosync: corosync: denial of service and information disclosure via crafted udp packet
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-253
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Corosync Corosync
Redhat Enterprise Linux Enterprise Linux Eus Openshift Openshift Container Platform Rhel Aus Rhel E4s Rhel Eus Rhel Eus Long Life Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-13T07:59:08.889Z

Reserved: 2026-04-01T11:35:23.145Z

Link: CVE-2026-35091

cve-icon Vulnrichment

Updated: 2026-04-01T20:29:29.178Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T14:16:57.040

Modified: 2026-05-13T08:16:16.357

Link: CVE-2026-35091

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T11:48:13Z

Links: CVE-2026-35091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:30:26Z

Weaknesses