CVE-2026-35091 Red Hat CVE debrief

Who should care

Organizations running Corosync-based clusters including OpenShift Container Platform and Red Hat Enterprise Linux high-availability deployments. Infrastructure teams managing clustered services dependent on Corosync for membership and messaging. Security operations teams monitoring for denial-of-service conditions in cluster environments.

Technical summary

The vulnerability exists in Corosync's handling of membership commit tokens. An incorrect return value in the sanity check function allows a remote unauthenticated attacker to send a specially crafted UDP packet that bypasses proper bounds checking. This results in an out-of-bounds read condition that can crash the Corosync service (DoS) and potentially expose limited memory contents. The attack requires network access to the Corosync cluster communication ports but no authentication or user interaction. The CVSS 3.1 score of 8.2 reflects high availability impact and low confidentiality impact with a network attack vector.

Defensive priority

HIGH

Recommended defensive actions

• Apply relevant Red Hat Security Advisory patches for affected OpenShift and Enterprise Linux systems
• Review Corosync cluster network segmentation to limit UDP exposure to trusted nodes
• Monitor for anomalous UDP traffic targeting Corosync cluster ports
• Validate Corosync version updates across all cluster nodes to ensure consistent patching
• Assess cluster logs for unexpected membership token processing errors that may indicate exploitation attempts

Evidence notes

The vulnerability description indicates a wrong return value in the membership commit token sanity check leads to out-of-bounds read conditions. CVSS vector confirms network-based attack with confidentiality and availability impacts. Multiple RHSA advisories indicate widespread patching across Red Hat product lines. Bugzilla entries suggest active tracking and potential exploit availability.

Official resources