Wrong return value vulnerability in the Corosync membership commit token sanity check in exec/totemsrp.c. The flaw occurs in check_memb_commit_token_sanity() where truncated messages (msg_len < sizeof(struct memb_commit_token)) incorrectly return 0 (success) instead of -1 (failure). As a result, message_handler_memb_commit_token() continues processing attacker-controlled, undersized input, performs an allocation based on the short length, and then accesses struct memb_commit_token fields beyond the allocated region, triggering an out-of-bounds read (ASAN-confirmed). This can be exploited remotely without authentication in totemudp/totemudpu mode by sending a single crafted UDP packet to the Corosync port (default 5405), causing a denial of service and potentially leaking limited memory contents.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:13644 https://access.redhat.com/errata/RHSA-2026:13644
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:13657 https://access.redhat.com/errata/RHSA-2026:13657
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:13673 https://access.redhat.com/errata/RHSA-2026:13673
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:14205 https://access.redhat.com/errata/RHSA-2026:14205
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:14211 https://access.redhat.com/errata/RHSA-2026:14211
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:14215 https://access.redhat.com/errata/RHSA-2026:14215
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:14210 https://access.redhat.com/errata/RHSA-2026:14210
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:14214 https://access.redhat.com/errata/RHSA-2026:14214
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:14216 https://access.redhat.com/errata/RHSA-2026:14216
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:14212 https://access.redhat.com/errata/RHSA-2026:14212
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:14213 https://access.redhat.com/errata/RHSA-2026:14213
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19043 https://access.redhat.com/errata/RHSA-2026:19043
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19200 https://access.redhat.com/errata/RHSA-2026:19200
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:20916 https://access.redhat.com/errata/RHSA-2026:20916