CVE-2026-35092
Integer Overflow in Corosync TotemUDP Causes Remote DoS
Publication date: 2026-04-01
Last updated on: 2026-05-06
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | openshift | 4.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| corosync | corosync | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a denial of service (DoS) issue caused by an integer overflow in Corosync's join message validation, which allows remote attackers to crash the service. It impacts availability but does not affect confidentiality or integrity of data.
Since the vulnerability does not involve unauthorized access to or disclosure of sensitive data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and privacy of personal health or personal data.
However, the resulting denial of service could affect system availability, which may indirectly impact compliance if availability is a requirement under certain standards or organizational policies.
Can you explain this vulnerability to me?
CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation. It occurs because two attacker-controlled 32-bit unsigned integers are added together, which can overflow in 32-bit arithmetic, causing the calculated length for message validation to be incorrect. This allows a remote, unauthenticated attacker to send specially crafted UDP packets that bypass sanity checks.
As a result, Corosync processes malformed input, which can cause the service to crash. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without authentication to cause the Corosync service to crash, resulting in a denial of service (DoS).
Since Corosync is often used in cluster communication and high-availability setups, a crash could disrupt cluster operations, leading to service outages or degraded system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves crafted UDP packets targeting Corosync's totemudp/totemudpu mode, causing a denial of service by exploiting an integer overflow in join message validation.
Detection can focus on monitoring for unusual UDP traffic patterns to the Corosync service, especially malformed or suspiciously short UDP packets that could trigger the overflow.
Additionally, checking Corosync logs for crashes or service restarts may indicate exploitation attempts.
- Use network packet capture tools like tcpdump to filter UDP traffic on the Corosync port (usually 5405):
- tcpdump -i <interface> udp port 5405
- Analyze captured packets for abnormal sizes or malformed join messages.
- Check system logs for Corosync crashes or restarts, e.g., using journalctl:
- journalctl -u corosync -b
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Corosync to a version where the integer overflow vulnerability in join message validation is fixed.
If an update is not immediately available, consider restricting network access to the Corosync UDP port (typically 5405) to trusted hosts only, using firewall rules.
- Apply firewall rules to block or limit UDP traffic to port 5405 from untrusted sources.
- Monitor Corosync service stability and logs for signs of crashes or exploitation attempts.
These steps help reduce the attack surface until a patched version is deployed.