CVE-2026-35091 Overview
A flaw was found in Corosync, the cluster engine that provides group communication services for high availability clusters. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
Critical Impact
Remote unauthenticated attackers can cause denial of service and potential memory disclosure on Corosync cluster nodes using default UDP transport mode.
Affected Products
- Corosync (totemudp mode)
- Corosync (totemudpu mode)
- High availability cluster deployments using default Corosync configuration
Discovery Timeline
- 2026-04-01 - CVE CVE-2026-35091 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-35091
Vulnerability Analysis
This vulnerability stems from an incorrect return value handling in the membership commit token sanity check logic within Corosync. When processing incoming UDP packets, Corosync validates membership commit tokens to ensure cluster integrity. However, due to improper handling of return values during this sanity check (CWE-253: Incorrect Check of Function Return Value), the validation can be bypassed.
When an attacker sends a specially crafted UDP packet, the flawed return value check allows the application to proceed with processing malformed data. This results in an out-of-bounds read condition, where Corosync attempts to access memory beyond allocated buffer boundaries. The consequences are twofold: the cluster node may crash causing service disruption, and limited portions of memory may be inadvertently disclosed to the attacker.
The vulnerability is particularly significant because it affects the default transport configuration (totemudp/totemudpu), meaning most deployments are vulnerable unless explicitly configured otherwise.
Root Cause
The root cause is a wrong return value vulnerability (CWE-253) in the membership commit token sanity check function. The code fails to properly evaluate the return value from validation routines, allowing malformed packets to bypass security checks. This incorrect conditional logic permits processing of untrusted input that should have been rejected, ultimately leading to out-of-bounds memory access when handling the crafted data.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the Corosync UDP port (typically UDP 5405) can send specially crafted packets targeting the membership commit token handling code. The attack flow involves:
- The attacker identifies a target running Corosync in UDP transport mode
- A maliciously crafted UDP packet is constructed to exploit the return value check flaw
- Upon receipt, the sanity check incorrectly passes due to improper return value handling
- The malformed token data triggers an out-of-bounds read operation
- The service crashes (DoS) or sensitive memory content is leaked to the attacker
The vulnerability mechanism centers on the improper handling of function return values during token validation. When the sanity check routine returns an unexpected value indicating an error condition, the calling code fails to properly interpret this result and continues processing. This allows maliciously crafted token data to bypass validation, ultimately causing the out-of-bounds read when the corrupted data is dereferenced. For additional technical details, refer to the Red Hat CVE Advisory and associated bug reports.
Detection Methods for CVE-2026-35091
Indicators of Compromise
- Unexpected Corosync service crashes or restarts on cluster nodes
- Unusual UDP traffic patterns targeting Corosync ports (default UDP 5405)
- Corosync log entries indicating token processing errors or memory access violations
- Cluster membership instability or unexpected node departures
Detection Strategies
- Monitor system logs for Corosync crash events using journalctl -u corosync or equivalent
- Deploy network intrusion detection rules to identify malformed UDP packets targeting Corosync ports
- Enable core dump analysis to identify out-of-bounds read patterns in crash scenarios
- Use SentinelOne Singularity platform for behavioral detection of process crashes and anomalous network activity
Monitoring Recommendations
- Configure real-time alerting for Corosync service state changes and crashes
- Implement network traffic analysis on UDP port 5405 to detect exploitation attempts
- Enable memory protection features and crash reporting for Corosync processes
- Review cluster health metrics for unusual node membership changes
How to Mitigate CVE-2026-35091
Immediate Actions Required
- Restrict network access to Corosync UDP ports (5405) using firewall rules to trusted cluster nodes only
- Consider switching transport mode from totemudp/totemudpu to knet (Kronosnet) if supported by your deployment
- Monitor for vendor security patches and apply them as soon as available
- Implement network segmentation to isolate cluster communication traffic
Patch Information
No specific patch version has been identified in the available data. Organizations should monitor the Red Hat CVE Advisory and Red Hat Bug Report #2453813 for patch availability and updated package versions. Consult your Linux distribution's security advisories for Corosync package updates.
Workarounds
- Configure firewall rules to restrict UDP 5405 access to authorized cluster member IP addresses only
- Switch to knet transport mode if feasible for your cluster deployment
- Deploy IDS/IPS rules to detect and block malformed Corosync UDP packets
- Enable SELinux or AppArmor confinement for Corosync to limit impact of potential exploits
# Configuration example
# Restrict Corosync UDP port access to cluster members only
# Example using iptables - replace IPs with actual cluster node addresses
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.11 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.12 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
