FKIE_CVE-2026-35091
Vulnerability from fkie_nvd - Published: 2026-04-01 14:16 - Updated: 2026-06-17 10:40
Severity
Summary
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| corosync | corosync | - | |
| redhat | openshift | 4.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 | |
| redhat | enterprise_linux | 10.0 |
{
"affected": [
{
"affectedData": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.9-2.el10_1.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.10-1.el10_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.9-1.el10_0.2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7::server"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.4.5-7.el7_9.3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/a:redhat:enterprise_linux:8::highavailability",
"cpe:/a:redhat:enterprise_linux:8::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.8-1.el8_10.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream",
"cpe:/a:redhat:rhel_aus:8.4::highavailability",
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.0-3.el8_4.2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream",
"cpe:/a:redhat:rhel_aus:8.4::highavailability",
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.0-3.el8_4.2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::highavailability",
"cpe:/a:redhat:rhel_tus:8.6::appstream",
"cpe:/a:redhat:rhel_tus:8.6::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.5-2.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::highavailability",
"cpe:/a:redhat:rhel_tus:8.6::appstream",
"cpe:/a:redhat:rhel_tus:8.6::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.5-2.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::appstream",
"cpe:/a:redhat:rhel_e4s:8.6::highavailability",
"cpe:/a:redhat:rhel_tus:8.6::appstream",
"cpe:/a:redhat:rhel_tus:8.6::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.5-2.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream",
"cpe:/a:redhat:rhel_e4s:8.8::highavailability",
"cpe:/a:redhat:rhel_tus:8.8::appstream",
"cpe:/a:redhat:rhel_tus:8.8::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.7-1.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream",
"cpe:/a:redhat:rhel_e4s:8.8::highavailability",
"cpe:/a:redhat:rhel_tus:8.8::appstream",
"cpe:/a:redhat:rhel_tus:8.8::highavailability"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.7-1.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.9-2.el9_7.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.10-1.el9_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream",
"cpe:/a:redhat:rhel_e4s:9.0::highavailability",
"cpe:/a:redhat:rhel_e4s:9.0::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.5-3.el9_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream",
"cpe:/a:redhat:rhel_e4s:9.2::highavailability",
"cpe:/a:redhat:rhel_e4s:9.2::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.7-1.el9_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream",
"cpe:/a:redhat:rhel_eus:9.4::crb",
"cpe:/a:redhat:rhel_eus:9.4::highavailability",
"cpe:/a:redhat:rhel_eus:9.4::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.8-1.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream",
"cpe:/a:redhat:rhel_eus:9.6::crb",
"cpe:/a:redhat:rhel_eus:9.6::highavailability",
"cpe:/a:redhat:rhel_eus:9.6::resilientstorage"
],
"defaultStatus": "affected",
"packageName": "corosync",
"product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.1.9-2.el9_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"source": "secalert@redhat.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:corosync:corosync:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5008766D-B12C-48F2-A70A-2344860259C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5F7E2F04-474D-4196-9CE8-242642990A16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents"
}
],
"id": "CVE-2026-35091",
"lastModified": "2026-06-17T10:40:06.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-35091",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T20:28:59.762709Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-04-01T14:16:57.040",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:13644"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:13657"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:13673"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14205"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14210"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14211"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14212"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14213"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14214"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14215"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:14216"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19043"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19200"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:20916"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-35091"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453169"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453813"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-253"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…