CVE-2026-35092
Modified Modified - Updated After Analysis
Integer Overflow in Corosync TotemUDP Causes Remote DoS

Publication date: 2026-04-01

Last updated on: 2026-05-26

Assigner: Red Hat, Inc.

Description
A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35092
EUVD
EUVD-2026-17881
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat openshift 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
corosync corosync *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation. It occurs because two attacker-controlled 32-bit unsigned integers are added together, which can overflow in 32-bit arithmetic, causing the calculated length for message validation to be incorrect. This allows a remote, unauthenticated attacker to send specially crafted UDP packets that bypass sanity checks.

As a result, Corosync processes malformed input, which can cause the service to crash. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

Impact Analysis

This vulnerability can be exploited remotely without authentication to cause the Corosync service to crash, resulting in a denial of service (DoS).

Since Corosync is often used in cluster communication and high-availability setups, a crash could disrupt cluster operations, leading to service outages or degraded system availability.

Detection Guidance

This vulnerability involves crafted UDP packets targeting Corosync's totemudp/totemudpu mode, causing a denial of service by exploiting an integer overflow in join message validation.

Detection can focus on monitoring for unusual UDP traffic patterns to the Corosync service, especially malformed or suspiciously short UDP packets that could trigger the overflow.

Additionally, checking Corosync logs for crashes or service restarts may indicate exploitation attempts.

  • Use network packet capture tools like tcpdump to filter UDP traffic on the Corosync port (usually 5405):
  • tcpdump -i <interface> udp port 5405
  • Analyze captured packets for abnormal sizes or malformed join messages.
  • Check system logs for Corosync crashes or restarts, e.g., using journalctl:
  • journalctl -u corosync -b
Mitigation Strategies

Immediate mitigation steps include updating Corosync to a version where the integer overflow vulnerability in join message validation is fixed.

If an update is not immediately available, consider restricting network access to the Corosync UDP port (typically 5405) to trusted hosts only, using firewall rules.

  • Apply firewall rules to block or limit UDP traffic to port 5405 from untrusted sources.
  • Monitor Corosync service stability and logs for signs of crashes or exploitation attempts.

These steps help reduce the attack surface until a patched version is deployed.

Compliance Impact

The vulnerability described is a denial of service (DoS) issue caused by an integer overflow in Corosync's join message validation, which allows remote attackers to crash the service. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not involve unauthorized access to or disclosure of sensitive data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and privacy of personal health or personal data.

However, the resulting denial of service could affect system availability, which may indirectly impact compliance if availability is a requirement under certain standards or organizational policies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart