Executive Summary

CVE-2026-35091 is a vulnerability in Corosync's handling of membership commit tokens. Specifically, a function called check_memb_commit_token_sanity() incorrectly validates incoming messages by returning success even when the message is truncated and smaller than expected. This causes the program to process attacker-controlled, undersized input, leading to an out-of-bounds read in memory.

An unauthenticated remote attacker can exploit this by sending a specially crafted UDP packet to the Corosync UDP port (default 5405) when Corosync is running in its default totemudp/totemudpu mode.

The result of this flaw can cause a denial of service (DoS) due to the out-of-bounds read and may also lead to limited disclosure of memory contents.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Corosync can lead to a denial of service (DoS) and potentially disclose limited memory contents due to an out-of-bounds read. This limited information disclosure could pose risks related to data confidentiality.

However, there is no specific information provided about the nature of the disclosed memory contents or whether any personal or sensitive data protected under standards like GDPR or HIPAA could be exposed.

Therefore, while the vulnerability could impact system availability and potentially leak some memory data, the provided information does not explicitly link it to compliance violations with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial of service (DoS) on systems running the vulnerable Corosync versions. The attacker can crash or disrupt the service by exploiting the out-of-bounds read.

Additionally, there is a potential for limited information disclosure, where some memory contents might be leaked to the attacker, which could expose sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious UDP packets sent to the Corosync default UDP port 5405, especially those that are malformed or truncated and could trigger the out-of-bounds read.

A practical approach is to capture and analyze network traffic on port 5405 using tools like tcpdump or Wireshark to identify any unusual or crafted UDP packets targeting Corosync.

• Use tcpdump to capture UDP packets on port 5405: sudo tcpdump -i <interface> udp port 5405 -w corosync_traffic.pcap
• Analyze the captured packets with Wireshark or tshark to look for truncated or malformed membership commit token messages.
• Check Corosync logs for any crashes or denial of service symptoms that may indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network access to the Corosync UDP port 5405 to trusted hosts only, using firewall rules to block unauthorized UDP traffic to this port.

Additionally, updating Corosync to a patched version that fixes the membership commit token sanity check vulnerability is strongly recommended.

If an update is not immediately available, consider disabling or restricting the totemudp/totemudpu mode if possible, or isolating the affected systems from untrusted networks.

Useful 0 Not Useful 0