{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35091", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T11:35:23.145Z", "datePublished": "2026-04-01T13:18:53.738Z", "dateUpdated": "2026-04-06T07:32:08.097Z"}, "containers": {"cna": {"title": "Corosync: corosync: denial of service and information disclosure via crafted udp packet", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "corosync", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "corosync", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "corosync", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "corosync", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35091", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453169"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453813", "name": "RHBZ#2453813", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-01T11:48:13.254Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-253", "description": "Incorrect Check of Function Return Value", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-253: Incorrect Check of Function Return Value", "workarounds": [{"lang": "en", "value": "Systems using totemudp or totemudpu should migrate to the supported knet transport and enable encryption.\n\nDisabling the Corosync service is a valid workaround if clustering is not required, but for active clusters, enabling encryption via knet is the preferred and recommended approach."}], "timeline": [{"lang": "en", "time": "2026-04-01T11:31:01.742Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T11:48:13.254Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Sebasti\u00e1n Alba Vives for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-06T07:32:08.097Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T20:28:59.762709Z", "id": "CVE-2026-35091", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:29:55.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T20:28:59.762709Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:29:29.178Z"}}], "cna": {"title": "Corosync: corosync: denial of service and information disclosure via crafted udp packet", "credits": [{"lang": "en", "value": "Red Hat would like to thank Sebasti\u00e1n Alba Vives for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "corosync", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "corosync", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "corosync", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "corosync", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-04-01T11:31:01.742Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T11:48:13.254Z", "value": "Made public."}], "datePublic": "2026-04-01T11:48:13.254Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35091", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453169"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453813", "name": "RHBZ#2453813", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Systems using totemudp or totemudpu should migrate to the supported knet transport and enable encryption.\n\nDisabling the Corosync service is a valid workaround if clustering is not required, but for active clusters, enabling encryption via knet is the preferred and recommended approach."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-253", "description": "Incorrect Check of Function Return Value"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-06T07:32:08.097Z"}, "x_redhatCweChain": "CWE-253: Incorrect Check of Function Return Value"}}, "cveMetadata": {"cveId": "CVE-2026-35091", "state": "PUBLISHED", "dateUpdated": "2026-04-06T07:32:08.097Z", "dateReserved": "2026-04-01T11:35:23.145Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-01T13:18:53.738Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*", "matchCriteriaId": "5008766D-B12C-48F2-A70A-2344860259C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5F7E2F04-474D-4196-9CE8-242642990A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration."}], "id": "CVE-2026-35091", "lastModified": "2026-04-07T16:34:38.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-01T14:16:57.040", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://access.redhat.com/security/cve/CVE-2026-35091"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453169"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453813"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-253"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Sebasti\u00e1n Alba Vives for reporting this issue.", "bugzilla": {"description": "corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet", "id": "2453813", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453813"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-253", "details": ["A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, restrict network access to the Corosync service on UDP port 5405 to only trusted hosts or networks. If Corosync is not required, consider disabling the service.\nExample firewall rule to restrict access to a trusted network (replace <TRUSTED_NETWORK> with your network):\n`firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" port port=\"5405\" protocol=\"udp\" source address=\"<TRUSTED_NETWORK>\" accept'`\n`firewall-cmd --reload`\nTo disable the Corosync service:\n`systemctl stop corosync`\n`systemctl disable corosync`\nNote that restricting access may impact cluster communication, and disabling the service will prevent cluster operation. A restart of the Corosync service or a system reboot may be required for changes to take full effect."}, "name": "CVE-2026-35091", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-01T11:48:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35091\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35091\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2453169"], "statement": "Important: A wrong return value vulnerability in Corosync's membership commit token sanity check allows remote unauthenticated attackers to send a crafted UDP packet, leading to an out-of-bounds read and denial of service. This affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "corosync", "vendor": "corosync"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Container Platform 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_container_platform", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-07T23:56:47.391284+00:00", "value": {"mitigation_remediation": ["Migrate Corosync to the KNET transport and enable encryption as recommended by the vendor", "If clustering is not required, stop and disable the Corosync service to prevent the vulnerability from being exploitable", "Monitor network traffic for unexpected or malformed UDP packets targeting Corosync's port to detect attempted exploitation", "Apply any vendor\u2011released patch for Corosync when it becomes available"], "summary": {"action": "Migrate to KNET", "impact": "Denial of Service and limited information disclosure via crafted UDP packet"}, "threat_synthesis": {"affected_systems": "The flaw affects Corosync deployments that use the default totemudp/totemudpu transport, which is shipped with Red\u00a0Hat Enterprise Linux 7, 8, 9, 10 and Red\u00a0Hat OpenShift Container Platform\u00a04. No specific version numbers are provided, so all standard builds that rely on the default UDP transport are potentially impacted.", "description_and_impact": "A remote unauthenticated attacker can trigger Corosync to perform an out\u2011of\u2011bounds read by sending a specially crafted User Datagram Protocol packet that exploits a wrong return value in the membership commit token sanity check. The resulting memory read can cause the Corosync service to crash, delivering a denial of service, and can expose a small portion of in\u2011memory data, which may contain sensitive information. The vulnerability is a classic example of an invalid function return value weakness, classified as CWE\u2011253.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity, while an EPSS score of less than 1\u202f% suggests a low probability of exploitation. The vulnerability is remotely exploitable over the network via UDP traffic directed at Corosync\u2019s communication channel\u2014though the precise port is not disclosed, the typical Corosync UDP endpoint is implied. Because no widespread exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog, the current exposure risk is moderate, but the potential impact of a service crash or memory leakage warrants immediate countermeasures."}}}}, "created": "2026-04-02T07:49:13.309049+00:00", "updated": "2026-04-08T19:59:50.241318+00:00", "vendors": ["corosync", "corosync$PRODUCT$corosync", "redhat", "redhat$PRODUCT$enterprise_linux", "redhat$PRODUCT$openshift_container_platform"]}