Description
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
Published: 2026-04-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and limited information disclosure via crafted UDP packet
Action: Migrate to KNET
AI Analysis

Impact

A remote unauthenticated attacker can trigger Corosync to perform an out‑of‑bounds read by sending a specially crafted User Datagram Protocol packet that exploits a wrong return value in the membership commit token sanity check. The resulting memory read can cause the Corosync service to crash, delivering a denial of service, and can expose a small portion of in‑memory data, which may contain sensitive information. The vulnerability is a classic example of an invalid function return value weakness, classified as CWE‑253.

Affected Systems

The flaw affects Corosync deployments that use the default totemudp/totemudpu transport, which is shipped with Red Hat Enterprise Linux 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4. No specific version numbers are provided, so all standard builds that rely on the default UDP transport are potentially impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while an EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is remotely exploitable over the network via UDP traffic directed at Corosync’s communication channel—though the precise port is not disclosed, the typical Corosync UDP endpoint is implied. Because no widespread exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog, the current exposure risk is moderate, but the potential impact of a service crash or memory leakage warrants immediate countermeasures.

Generated by OpenCVE AI on April 7, 2026 at 23:56 UTC.

Remediation

Vendor Workaround

Systems using totemudp or totemudpu should migrate to the supported knet transport and enable encryption. Disabling the Corosync service is a valid workaround if clustering is not required, but for active clusters, enabling encryption via knet is the preferred and recommended approach.

OpenCVE Recommended Actions

  • Migrate Corosync to the KNET transport and enable encryption as recommended by the vendor
  • If clustering is not required, stop and disable the Corosync service to prevent the vulnerability from being exploitable
  • Monitor network traffic for unexpected or malformed UDP packets targeting Corosync's port to detect attempted exploitation
  • Apply any vendor‑released patch for Corosync when it becomes available

Generated by OpenCVE AI on April 7, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8170-1 Corosync vulnerabilities
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Corosync
Corosync corosync
Redhat openshift Container Platform
Vendors & Products Corosync
Corosync corosync
Redhat openshift Container Platform

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
Title Corosync: corosync: denial of service and information disclosure via crafted udp packet
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-253
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Corosync Corosync
Redhat Enterprise Linux Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-06T07:32:08.097Z

Reserved: 2026-04-01T11:35:23.145Z

Link: CVE-2026-35091

cve-icon Vulnrichment

Updated: 2026-04-01T20:29:29.178Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:57.040

Modified: 2026-04-07T16:34:38.267

Link: CVE-2026-35091

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T11:48:13Z

Links: CVE-2026-35091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:50Z

Weaknesses