Cyber Resilience

CVE-2026-35091

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0087 54.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35091 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35091 is a wrong return value vulnerability in the Corosync membership commit token sanity check. A remote unauthenticated attacker can exploit it by sending a specially crafted User Datagram Protocol (UDP) packet, triggering an out-of-bounds read. This flaw affects Corosync when running in its default totemudp/totemudpu mode and can result in a denial of service (DoS) or the disclosure of limited memory contents. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-253.

A remote unauthenticated attacker with network access to a vulnerable Corosync instance can exploit this issue without requiring privileges or user interaction. Exploitation involves transmitting a malicious UDP packet that bypasses the sanity check, leading to an out-of-bounds read. This primarily causes a DoS by crashing the service due to high availability impact, while potentially leaking limited memory contents as reflected in the low confidentiality score.

Red Hat advisories provide mitigations through patches in errata RHSA-2026:13644, RHSA-2026:13657, and RHSA-2026:13673. Further details on the vulnerability and remediation are documented on the Red Hat security page at https://access.redhat.com/security/cve/CVE-2026-35091 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2453169.

EU & UK References

Vulnerability details

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an…

more

out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote unauthenticated exploitation of a network-exposed service (Corosync over UDP) to cause application crash (DoS), directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35092Same product: Corosync Corosync
CVE-2026-4271Same product: Redhat Enterprise Linux
CVE-2026-2436Same product: Redhat Enterprise Linux
CVE-2026-3260Same product: Redhat Enterprise Linux
CVE-2025-32990Same product: Redhat Enterprise Linux
CVE-2026-2100Same product: Redhat Enterprise Linux
CVE-2026-0966Same product: Redhat Enterprise Linux
CVE-2026-5201Same product: Redhat Enterprise Linux
CVE-2026-7307Same vendor: Redhat
CVE-2026-9064Same product: Redhat Enterprise Linux

Affected Assets

corosync
corosync
all versions
redhat
openshift
4.0
redhat
enterprise linux
10.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts network exposure of Corosync UDP ports (totemudp/totemudpu) to only trusted cluster peers, blocking remote unauthenticated attackers from sending crafted packets.

prevent

Requires prompt application of vendor patches (e.g., RHSA-2026:13644) that correct the wrong return-value check in the membership commit token sanity logic.

prevent

Enforces validation of incoming UDP packets before they reach Corosync's token-processing code, reducing the chance malformed inputs trigger the out-of-bounds read.

References