Skip to main content

Red Hat Enterprise Linux 10 CVE-2026-35091

| EUVDEUVD-2026-17879 HIGH
Incorrect Check of Function Return Value (CWE-253)
2026-04-01 redhat
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 13:30 euvd
EUVD-2026-17879
Analysis Generated
Apr 01, 2026 - 13:30 vuln.today
CVE Published
Apr 01, 2026 - 13:18 nvd
HIGH 8.2

DescriptionCVE.org

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.

AnalysisAI

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.

Technical ContextAI

Corosync is a cluster communication engine implementing the Totem single-ring ordering and membership protocol, widely deployed in Linux high-availability (HA) clustering solutions like Pacemaker. The vulnerability (CWE-253: Incorrect Check of Function Return Value) exists in the membership commit token validation logic when operating in totemudp or totemudpu modes-the default transport mechanisms using UDP for cluster heartbeat and quorum messages. A coding error in return value handling during sanity checks of incoming commit tokens allows processing of maliciously crafted UDP packets that trigger out-of-bounds memory reads. The affected CPE strings indicate exposure across Red Hat Enterprise Linux 7, 8, 9, and 10, plus OpenShift Container Platform 4 environments where Corosync manages container orchestration cluster quorum. This is particularly critical as Corosync typically runs with elevated privileges and binds to network interfaces for inter-node communication.

RemediationAI

Organizations should immediately apply vendor-released patches through Red Hat's standard update channels using yum or dnf package managers for RHEL systems and standard OpenShift update procedures for container platforms. The primary remediation is upgrading to patched Corosync versions distributed through Red Hat security advisories linked at https://access.redhat.com/security/cve/CVE-2026-35091. Until patching is complete, implement network-level compensating controls by restricting Corosync UDP traffic (ports 5404-5406) exclusively to trusted cluster member IP addresses using firewall rules or network segmentation. Review and harden cluster network isolation to prevent unauthorized access to cluster communication channels. For OpenShift environments, ensure cluster network policies restrict corosync traffic to control plane nodes only. Monitor cluster logs for unexpected node failures or membership changes that could indicate exploitation attempts. Consult Red Hat Bugzilla entries 2453169 and 2453813 for version-specific guidance and subscribe to Red Hat Security Advisories for your deployed product versions.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise High Availability Extension 12 SP5 Fixed

Share

CVE-2026-35091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy