Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Fedora 43 Corosync Critical DoS Fix for CVE-2026-35091 and CVE-2026-35092

fedora
Calendar Grey April 8, 2026
Dist Fedora Esm H88
Critical security advisory for Fedora 43 addressing Denial of Service issues in corosync with CVE-2026-35091 and CVE-2026-35092.
Security fix for CVE-2026-35091 and CVE-2026-35092

Summary

This package contains the Corosync Cluster Engine Executive, several default

APIs and libraries, default configuration files, and an init script.

Update Information:

Security fix for CVE-2026-35091 and CVE-2026-35092

Change Log

* Thu Apr 2 2026 Jan Friesse - 3.1.10-2 - totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) - totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) * Fri Jan 23 2026 Benjamin A. Beasley - 3.1.10-4 - Rebuilt for net-snmp 5.9.5.2 * Fri Jan 16 2026 Fedora Release Engineering - 3.1.10-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering - 3.1.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

References


[ 1 ] Bug #2453169 - corosync: pre-auth OOB read in check_memb_commit_token_sanity + integer overflow in check_memb_join_sanity https://bugzilla.redhat.com/show_bug.cgi?id=2453169 [ 2 ] Bug #2453815 - CVE-2026-35091 corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453815 [ 3 ] Bug #2453821 - CVE-2026-35092 corosync: Corosync: Denial of Service via integer overflow in join message validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453821

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-ee4ff58256' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: corosync
Product: Fedora 43
Version: 3.1.10
Release: 2.fc43
Summary: The Corosync Cluster Engine and Application Programming Interfaces

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.