CVE-2026-35091
Published: 01 April 2026
Summary
CVE-2026-35091 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35091 is a wrong return value vulnerability in the Corosync membership commit token sanity check. A remote unauthenticated attacker can exploit it by sending a specially crafted User Datagram Protocol (UDP) packet, triggering an out-of-bounds read. This flaw affects Corosync when running in its default totemudp/totemudpu mode and can result in a denial of service (DoS) or the disclosure of limited memory contents. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-253.
A remote unauthenticated attacker with network access to a vulnerable Corosync instance can exploit this issue without requiring privileges or user interaction. Exploitation involves transmitting a malicious UDP packet that bypasses the sanity check, leading to an out-of-bounds read. This primarily causes a DoS by crashing the service due to high availability impact, while potentially leaking limited memory contents as reflected in the low confidentiality score.
Red Hat advisories provide mitigations through patches in errata RHSA-2026:13644, RHSA-2026:13657, and RHSA-2026:13673. Further details on the vulnerability and remediation are documented on the Red Hat security page at https://access.redhat.com/security/cve/CVE-2026-35091 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2453169.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17879
Vulnerability details
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an…
more
out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a network-exposed service (Corosync over UDP) to cause application crash (DoS), directly mapping to application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts network exposure of Corosync UDP ports (totemudp/totemudpu) to only trusted cluster peers, blocking remote unauthenticated attackers from sending crafted packets.
Requires prompt application of vendor patches (e.g., RHSA-2026:13644) that correct the wrong return-value check in the membership commit token sanity logic.
Enforces validation of incoming UDP packets before they reach Corosync's token-processing code, reducing the chance malformed inputs trigger the out-of-bounds read.