{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/corosync/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35092"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-35092","denial-of-service","corosync"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35092 describes an integer overflow vulnerability found in Corosync, a cluster engine. This vulnerability resides in the join message sanity validation process. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted User Datagram Protocol (UDP) packets to a vulnerable Corosync instance. Successful exploitation leads to a service crash, effectively causing a denial of service (DoS). The vulnerability specifically targets Corosync deployments utilizing the totemudp or totemudpu modes. Defenders should be aware of unusual UDP traffic patterns directed towards Corosync instances, especially those configured with totemudp/totemudpu.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Corosync instance running in totemudp/totemudpu mode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious UDP packet designed to trigger an integer overflow in the join message sanity validation.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted UDP packet to the targeted Corosync instance.\u003c/li\u003e\n\u003cli\u003eThe Corosync service receives the malicious UDP packet.\u003c/li\u003e\n\u003cli\u003eThe join message sanity validation process attempts to process the malformed packet, leading to an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe integer overflow causes a crash within the Corosync service.\u003c/li\u003e\n\u003cli\u003eThe Corosync service terminates or becomes unresponsive.\u003c/li\u003e\n\u003cli\u003eLegitimate cluster communications are disrupted, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35092 results in a denial-of-service condition, disrupting cluster communications and potentially impacting critical services relying on Corosync for high availability. The impact is significant for organizations using Corosync clusters to maintain service uptime, as a crash can lead to service outages. While the specific number of vulnerable deployments is unknown, organizations utilizing Corosync, especially in totemudp/totemudpu mode, are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor UDP traffic for unusual patterns indicative of exploitation attempts targeting Corosync instances.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Corosync UDP Traffic\u003c/code\u003e to identify potentially malicious UDP packets sent to Corosync instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eCWE-190\u003c/code\u003e (Integer Overflow or Wraparound) related to Corosync processes.\u003c/li\u003e\n\u003cli\u003eRefer to Red Hat\u0026rsquo;s security advisory (\u003ca href=\"https://access.redhat.com/security/cve/CVE-2026-35092\"\u003ehttps://access.redhat.com/security/cve/CVE-2026-35092\u003c/a\u003e) for potential patches or mitigations as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:16:57Z","date_published":"2026-04-01T14:16:57Z","id":"/briefs/2026-04-corosync-dos/","summary":"CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation, allowing a remote, unauthenticated attacker to send crafted UDP packets, resulting in a denial of service condition.","title":"Corosync Integer Overflow Vulnerability (CVE-2026-35092) Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-corosync-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Corosync","version":"https://jsonfeed.org/version/1.1"}