CVE-2026-35092

HighPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0020 42.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35092 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation mechanisms to directly prevent integer overflows from crafted UDP join messages in Corosync's sanity checks.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws like the Corosync integer overflow vulnerability through patching.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protections to limit or block crafted UDP packets that trigger Corosync service crashes.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The integer overflow in Corosync's UDP join message handling allows remote crafted packets to crash the service, directly enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial…

of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

Deeper analysisAI

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation. It affects Corosync deployments specifically configured to use totemudp or totemudpu mode. The flaw, published on 2026-04-01, allows crafted User Datagram Protocol (UDP) packets to trigger the overflow, and it is classified under CWE-190 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted UDP packets to a vulnerable Corosync instance. Successful exploitation causes the service to crash, resulting in a denial of service condition with high availability impact but no confidentiality or integrity effects.

Red Hat has published a security advisory for this issue at https://access.redhat.com/security/cve/CVE-2026-35092, along with related Bugzilla tracking entries at https://bugzilla.redhat.com/show_bug.cgi?id=2453169 and https://bugzilla.redhat.com/show_bug.cgi?id=2453814.