CVE-2026-35091
Published: 01 April 2026
Summary
CVE-2026-35091 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through vendor patches directly fixes the wrong return value vulnerability in Corosync's membership commit token sanity check, preventing exploitation.
Information input validation ensures proper checking of UDP packets, directly addressing the flawed sanity check that allows crafted packets to trigger out-of-bounds reads.
Denial-of-service protection limits the impact of crafted UDP packets causing service crashes in Corosync's default totemudp/totemudpu mode.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a network-exposed service (Corosync over UDP) to cause application crash (DoS), directly mapping to application exploitation for endpoint DoS.
NVD Description
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an…
more
out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
Deeper analysisAI
CVE-2026-35091 is a wrong return value vulnerability in the Corosync membership commit token sanity check. A remote unauthenticated attacker can exploit it by sending a specially crafted User Datagram Protocol (UDP) packet, triggering an out-of-bounds read. This flaw affects Corosync when running in its default totemudp/totemudpu mode and can result in a denial of service (DoS) or the disclosure of limited memory contents. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-253.
A remote unauthenticated attacker with network access to a vulnerable Corosync instance can exploit this issue without requiring privileges or user interaction. Exploitation involves transmitting a malicious UDP packet that bypasses the sanity check, leading to an out-of-bounds read. This primarily causes a DoS by crashing the service due to high availability impact, while potentially leaking limited memory contents as reflected in the low confidentiality score.
Red Hat advisories provide mitigations through patches in errata RHSA-2026:13644, RHSA-2026:13657, and RHSA-2026:13673. Further details on the vulnerability and remediation are documented on the Red Hat security page at https://access.redhat.com/security/cve/CVE-2026-35091 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2453169.
Details
- CWE(s)