Corosync: Denial of Service and Data Exposure

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Corosync: Denial of Service and Data Exposure

Summary

A security update is available for Corosync, a tool used in high-availability clusters. This update fixes two security issues that could allow an attacker to crash the system or access sensitive information. Apply the update to ensure your cluster remains secure and stable.

What to do

Update corosync to version 2.4.6-150300.12.16.1.

Affected software

Ecosystem	Vendor	Product	Affected versions
SUSE:Linux Enterprise High Availability Extension 15 SP4	–	corosync	< 2.4.6-150300.12.16.1 Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP5	–	corosync	< 2.4.6-150300.12.16.1 Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP6	–	corosync	< 2.4.6-150300.12.16.1 Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP7	–	corosync	< 2.4.6-150300.12.16.1 Fix: upgrade to 2.4.6-150300.12.16.1
openSUSE:Leap 15.6	–	corosync	< 2.4.6-150300.12.16.1 Fix: upgrade to 2.4.6-150300.12.16.1

Original title

Security update for corosync

Original description

This update for corosync fixes the following issues:

- CVE-2026-35091: Denial of Service and information disclosure via crafted UDP packet (bsc#1261299).
- CVE-2026-35092: Denial of Service via integer overflow in join message validation (bsc#1261300).

https://www.suse.com/support/update/announcement/2026/suse-su-20261394-1/ Vendor Advisory
https://bugzilla.suse.com/1261299 Third Party Advisory
https://bugzilla.suse.com/1261300 Third Party Advisory
https://www.suse.com/security/cve/CVE-2026-35091 URL
https://www.suse.com/security/cve/CVE-2026-35092 URL

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026