| Package | corosync |
|---|---|
| Version | 2.4.2-3+deb9u3 (stretch), 3.0.1-2+deb10u3 (buster) |
| Related CVEs | CVE-2026-35091 CVE-2026-35092 |
Two vulnerabilities have been found in corosync, a cluster engine daemon and utilities, that allow a remote, unauthenticated attacker to cause a denial of service.
CVE-2026-35091
A remote unauthenticated attacker can exploit a wrong return value
vulnerability in the Corosync membership commit token sanity check by
sending a specially crafted User Datagram Protocol (UDP) packet. This can
lead to an out-of-bounds read, causing a denial of service (DoS) and
potentially disclosing limited memory contents.
CVE-2026-35092
An integer overflow vulnerability in Corosync's join message sanity
validation allows a remote, unauthenticated attacker to send crafted User
Datagram Protocol (UDP) packets. This can cause the service to crash,
leading to a denial of service.
For Debian 10 buster, these problems have been fixed in version 3.0.1-2+deb10u3.
For Debian 9 stretch, these problems have been fixed in version 2.4.2-3+deb9u3.
We recommend that you upgrade your corosync packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.