CVE-2026-35091 identifies a critical vulnerability in Corosync, a cluster communication framework integral to Red Hat Enterprise Linux 10's high-availability and clustering solutions. The vulnerability stems from an incorrect validation of the return value in the membership commit token sanity check within the totemudp (UDP-based) communication mode, which is the default operational mode. Specifically, when Corosync processes a crafted UDP packet, it fails to properly handle the return value, leading to an out-of-bounds read in memory. This memory access violation can cause the Corosync service to crash, resulting in a denial of service (DoS) condition. Additionally, the out-of-bounds read may expose limited memory contents, potentially leaking sensitive information. The attack vector is network-based, requiring no authentication or user interaction, making it highly accessible to remote attackers. The flaw affects all deployments of Red Hat Enterprise Linux 10 using Corosync in its default totemudp mode. While no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized for disruption or limited data leakage. The CVSS v3.1 base score of 8.2 reflects the high impact on availability and confidentiality, combined with the low complexity and no privileges required for exploitation. This vulnerability underscores the importance of rigorous input validation and return value checking in network protocol implementations within critical infrastructure components.

The primary impact of CVE-2026-35091 is the potential for denial of service against systems running Red Hat Enterprise Linux 10 with Corosync in totemudp mode. This can disrupt cluster communications and high-availability services, potentially causing downtime in critical environments such as data centers, cloud infrastructure, and enterprise applications relying on clustering. The out-of-bounds read also introduces a limited information disclosure risk, which could aid attackers in reconnaissance or further exploitation, although the extent of leaked data is constrained. The vulnerability's remote, unauthenticated nature increases the attack surface, allowing adversaries to launch attacks from anywhere with network access to affected systems. Organizations relying on Corosync for cluster management may experience service interruptions, degraded performance, or exposure of sensitive memory data. This can lead to operational disruptions, financial losses, and reputational damage. Given the default configuration usage, many deployments are likely affected, amplifying the global risk. The absence of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for mitigation due to the vulnerability's high severity and ease of exploitation.

To mitigate CVE-2026-35091, organizations should prioritize applying patches or updates from Red Hat as soon as they become available, as these will address the root cause of the vulnerability. In the interim, network-level controls should be implemented to restrict access to UDP ports used by Corosync (typically port 5405) to trusted hosts only, minimizing exposure to untrusted networks. Deploying firewall rules or network segmentation can reduce the attack surface. Monitoring network traffic for anomalous or malformed UDP packets targeting Corosync can help detect exploitation attempts. Additionally, administrators should review cluster configurations to ensure minimal exposure and consider temporarily disabling or restricting totemudp mode if operationally feasible. Regularly auditing and updating cluster software components and dependencies will help prevent similar vulnerabilities. Finally, organizations should maintain robust incident response plans to quickly address any exploitation attempts or service disruptions related to this vulnerability.