CVE-2026-35092 Overview
A critical integer overflow vulnerability has been discovered in Corosync's join message sanity validation mechanism. This flaw allows remote, unauthenticated attackers to send specially crafted User Datagram Protocol (UDP) packets to affected systems, resulting in service crashes and denial of service conditions. The vulnerability specifically impacts Corosync deployments configured to use totemudp or totemudpu transport modes.
Critical Impact
Remote unauthenticated attackers can crash Corosync cluster services via crafted UDP packets, causing denial of service in high-availability cluster environments.
Affected Products
- Corosync deployments using totemudp transport mode
- Corosync deployments using totemudpu transport mode
- Red Hat Enterprise Linux systems with affected Corosync versions
Discovery Timeline
- 2026-04-01 - CVE-2026-35092 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-35092
Vulnerability Analysis
This vulnerability stems from an integer overflow condition (CWE-190) in Corosync's join message processing logic. When Corosync receives a join message from a potential cluster member, it performs sanity validation on the incoming data. However, due to improper handling of integer boundaries during this validation process, an attacker can craft malicious UDP packets that trigger an integer overflow condition.
The vulnerability is exploitable over the network without authentication or user interaction, making it particularly dangerous in environments where Corosync cluster communication ports are accessible. When exploited, the integer overflow causes the Corosync service to crash, disrupting cluster operations and potentially affecting all services that depend on the high-availability cluster functionality.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the join message sanity validation code. When processing incoming join messages, the validation routine performs arithmetic operations on attacker-controlled values without proper bounds checking. This allows specially crafted values to overflow integer boundaries, leading to unexpected behavior and subsequent service crashes.
Integer overflows occur when an arithmetic operation produces a value that exceeds the maximum size the data type can store, causing the value to wrap around. In security-critical code paths like message validation, this can bypass intended security checks or cause memory corruption.
Attack Vector
The attack vector is network-based, requiring the attacker to send crafted UDP packets to Corosync's communication ports. The attack characteristics include:
- Network accessibility: Attacker must be able to reach Corosync UDP ports (typically port 5405)
- No authentication required: The vulnerability exists in pre-authentication message processing
- No user interaction: Exploitation is fully automated and requires no victim action
- Transport modes: Only totemudp and totemudpu configurations are vulnerable
An attacker would craft UDP packets containing malformed join messages with integer values specifically designed to trigger the overflow condition during sanity validation. Upon receiving these packets, the vulnerable Corosync instance processes the message, encounters the integer overflow, and crashes.
Detection Methods for CVE-2026-35092
Indicators of Compromise
- Unexpected Corosync service crashes or restarts in cluster environments
- Malformed UDP packets targeting Corosync communication ports (default: 5405)
- Cluster membership instability or frequent node rejoining events
- Anomalous network traffic patterns to Corosync UDP ports from unexpected sources
Detection Strategies
- Monitor Corosync service availability and implement alerting for unexpected restarts
- Analyze network traffic for malformed or unusually large UDP packets destined for Corosync ports
- Review system logs for Corosync crash dumps indicating integer overflow or memory corruption
- Deploy intrusion detection rules to identify crafted join message patterns
Monitoring Recommendations
- Enable verbose logging for Corosync to capture detailed information about incoming messages
- Implement network-level monitoring for anomalous UDP traffic patterns to cluster ports
- Configure automated alerting for Corosync service failures or unexpected terminations
- Monitor cluster quorum status for unexpected changes that may indicate ongoing attacks
How to Mitigate CVE-2026-35092
Immediate Actions Required
- Restrict network access to Corosync UDP ports (default: 5405) using firewall rules
- Allow only trusted cluster node IP addresses to communicate with Corosync services
- Monitor for vendor security updates from Red Hat and upstream Corosync maintainers
- Review cluster network architecture to ensure Corosync traffic is isolated from untrusted networks
Patch Information
Security advisories and patch information are available through the following resources:
- Red Hat CVE Advisory - Official Red Hat security advisory with remediation guidance
- Red Hat Bug Report #2453169 - Technical details and patch tracking
- Red Hat Bug Report #2453814 - Additional bug tracking information
Organizations should monitor these resources for official patches and apply updates as soon as they become available.
Workarounds
- Configure firewall rules to restrict Corosync UDP port access to only authorized cluster nodes
- Consider switching to totemknet transport mode if operationally feasible, as it is not affected by this vulnerability
- Implement network segmentation to isolate cluster communication from untrusted networks
- Deploy rate limiting on network devices to mitigate potential DoS attack impact
# Configuration example - Restrict Corosync port access via iptables
# Allow only trusted cluster nodes to access Corosync UDP port
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.11 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.12 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
