Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Corosync Update: Denial of Service and Data Exposure Risk

SUSE-SU-2026:1394-1
Summary

Corosync, a software used for clustering and high availability, has released an update to fix a pair of issues that could allow an attacker to crash the system or access sensitive information. If left unpatched, these vulnerabilities could put your system at risk of a denial of service or data exposure. To protect your system, apply the latest update as soon as possible.

What to do
  • Update corosync to version 2.4.6-150300.12.16.1.
Affected software
Ecosystem VendorProductAffected versions
SUSE:Linux Enterprise High Availability Extension 15 SP4 corosync < 2.4.6-150300.12.16.1
Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP5 corosync < 2.4.6-150300.12.16.1
Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP6 corosync < 2.4.6-150300.12.16.1
Fix: upgrade to 2.4.6-150300.12.16.1
SUSE:Linux Enterprise High Availability Extension 15 SP7 corosync < 2.4.6-150300.12.16.1
Fix: upgrade to 2.4.6-150300.12.16.1
openSUSE:Leap 15.6 corosync < 2.4.6-150300.12.16.1
Fix: upgrade to 2.4.6-150300.12.16.1
Original title
Security update for corosync
Original description
This update for corosync fixes the following issues:

- CVE-2026-35091: Denial of Service and information disclosure via crafted UDP packet (bsc#1261299).
- CVE-2026-35092: Denial of Service via integer overflow in join message validation (bsc#1261300).
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026