PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35092 Red Hat CVE debrief

An integer overflow vulnerability in Corosync's join message validation allows remote, unauthenticated attackers to crash the service via crafted UDP packets. The flaw specifically affects deployments using totemudp/totemudpu transport mode. The vulnerability was disclosed in April 2026 and modified in May 2026 with additional advisory information. Red Hat has issued multiple security advisories addressing this issue across OpenShift and Enterprise Linux product lines.

Vendor
Red Hat
Product
Red Hat Enterprise Linux 10
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-01
Original CVE updated
2026-05-26
Advisory published
2026-04-01
Advisory updated
2026-05-26

Who should care

Organizations running Corosync-based clusters including OpenShift Container Platform, Red Hat Enterprise Linux High Availability Add-On, and other Pacemaker/Corosync deployments using UDP-based transport modes. Infrastructure teams responsible for cluster quorum and membership services should prioritize assessment.

Technical summary

The vulnerability exists in Corosync's join message sanity validation logic where an integer overflow can occur when processing malformed UDP packets. An unauthenticated remote attacker can exploit this by sending crafted packets to the Corosync service, causing a crash and resulting in denial of service for cluster communications. The attack surface is limited to configurations explicitly using totemudp or totemudpu transport modes; deployments using alternative transports such as totemknet are not affected. The CVSS 3.1 score of 7.5 reflects the high availability impact combined with network accessibility and lack of authentication requirements.

Defensive priority

HIGH

Recommended defensive actions

  • Verify Corosync configuration: identify systems using totemudp or totemudpu transport mode in corosync.conf
  • Apply vendor patches: install available Red Hat security advisories for affected OpenShift and Enterprise Linux versions
  • Monitor cluster health: implement alerting for unexpected Corosync process crashes or membership changes
  • Network segmentation: restrict UDP traffic to Corosync cluster nodes to authorized sources only
  • Review logs: examine Corosync logs for anomalous join messages preceding service crashes

Evidence notes

CVE description confirms integer overflow in join message sanity validation. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network-accessible, low-complexity, unauthenticated denial of service. CWE-190 (Integer Overflow or Wraparound) identified in source metadata. Multiple RHSA advisories issued between April and May 2026. Bugzilla entries 2453169 and 2453814 track exploit availability and issue resolution.

Official resources

2026-04-01