Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
AnalysisAI
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Technical ContextAI
Corosync is a cluster communication engine implementing the Totem single-ring ordering and membership protocol, widely deployed in Linux high-availability (HA) clustering solutions like Pacemaker. The vulnerability (CWE-253: Incorrect Check of Function Return Value) exists in the membership commit token validation logic when operating in totemudp or totemudpu modes-the default transport mechanisms using UDP for cluster heartbeat and quorum messages. A coding error in return value handling during sanity checks of incoming commit tokens allows processing of maliciously crafted UDP packets that trigger out-of-bounds memory reads. The affected CPE strings indicate exposure across Red Hat Enterprise Linux 7, 8, 9, and 10, plus OpenShift Container Platform 4 environments where Corosync manages container orchestration cluster quorum. This is particularly critical as Corosync typically runs with elevated privileges and binds to network interfaces for inter-node communication.
RemediationAI
Organizations should immediately apply vendor-released patches through Red Hat's standard update channels using yum or dnf package managers for RHEL systems and standard OpenShift update procedures for container platforms. The primary remediation is upgrading to patched Corosync versions distributed through Red Hat security advisories linked at https://access.redhat.com/security/cve/CVE-2026-35091. Until patching is complete, implement network-level compensating controls by restricting Corosync UDP traffic (ports 5404-5406) exclusively to trusted cluster member IP addresses using firewall rules or network segmentation. Review and harden cluster network isolation to prevent unauthorized access to cluster communication channels. For OpenShift environments, ensure cluster network policies restrict corosync traffic to control plane nodes only. Monitor cluster logs for unexpected node failures or membership changes that could indicate exploitation attempts. Consult Red Hat Bugzilla entries 2453169 and 2453813 for version-specific guidance and subscribe to Red Hat Security Advisories for your deployed product versions.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17879