📄 Description (English)
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.
🤖 AI Executive Summary
CVE-2026-35091 is a critical remote denial-of-service vulnerability in Corosync affecting cluster management infrastructure across Saudi Arabia. An unauthenticated attacker can send malicious UDP packets to trigger out-of-bounds memory reads, causing service disruption and potential information disclosure. With exploit code publicly available and no patch currently available, this poses immediate risk to organizations running Corosync in default totemudp/totemudpu mode, particularly critical infrastructure operators.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 05:48
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi government infrastructure (NCA, CITC), banking sector (SAMA-regulated institutions, major banks), energy sector (Saudi Aramco, SEC), and healthcare systems (MOH). Corosync is commonly used in high-availability clusters for critical services. Exploitation could disrupt essential services including financial transactions, government operations, and energy management systems. Saudi organizations running OpenShift (Red Hat Enterprise Linux 7-10) are particularly vulnerable.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry of Interior)
Banking (SAMA-regulated institutions, major commercial banks)
Energy (Saudi Aramco, SEC)
Healthcare (Ministry of Health, private hospitals)
Telecommunications (STC, Mobily, Zain)
Critical Infrastructure (water, power distribution)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Corosync in totemudp/totemudpu mode using: 'corosync-cfgtool -s' and review /etc/corosync/corosync.conf
2. Implement network segmentation: restrict UDP port 5405-5406 access to trusted cluster nodes only using firewall rules
3. Deploy intrusion detection signatures for malformed Corosync membership packets
4. Monitor system logs for segmentation faults and out-of-bounds read errors
COMPENSATING CONTROLS (until patch available):
5. Switch to totemknet transport mode if operationally feasible: modify corosync.conf to use 'transport: knet' instead of 'totemudp'
6. Implement strict network ACLs limiting Corosync cluster communication to known node IPs only
7. Deploy rate limiting on UDP port 5405-5406 to mitigate DoS attempts
8. Enable Corosync debug logging to detect anomalous membership token values
DETECTION:
9. Monitor for: 'corosync.*segfault', 'out of bounds', 'invalid token' in system logs
10. Alert on unexpected Corosync service restarts or crashes
11. Track memory access patterns using auditd rules for Corosync process
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تشغل Corosync في وضع totemudp/totemudpu باستخدام: 'corosync-cfgtool -s' ومراجعة /etc/corosync/corosync.conf
2. تنفيذ تقسيم الشبكة: تقييد وصول منفذ UDP 5405-5406 إلى عقد المجموعة الموثوقة فقط باستخدام قواعد جدار الحماية
3. نشر توقيعات كشف الاختراق لحزم عضوية Corosync المشوهة
4. مراقبة سجلات النظام للأخطاء والقراءات خارج الحدود
الضوابط البديلة (حتى توفر التصحيح):
5. التبديل إلى وضع نقل totemknet إن أمكن: تعديل corosync.conf لاستخدام 'transport: knet' بدلاً من 'totemudp'
6. تنفيذ قوائم تحكم الوصول الصارمة لتحديد اتصالات مجموعة Corosync بعناوين IP المعروفة فقط
7. نشر تحديد معدل على منفذ UDP 5405-5406 للتخفيف من محاولات DoS
8. تفعيل تسجيل تصحيح Corosync للكشف عن قيم رموز العضوية الشاذة
الكشف:
9. مراقبة: 'corosync.*segfault', 'out of bounds', 'invalid token' في سجلات النظام
10. تنبيه عند إعادة تشغيل أو توقف خدمة Corosync غير المتوقعة
11. تتبع أنماط الوصول إلى الذاكرة باستخدام قواعد auditd لعملية Corosync
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Security patch management
DE.CM-8 - Vulnerability scans and assessments
RS.MI-2 - Incident response and mitigation
🟡 ISO 27001:2022
A.12.3.1 - Segregation of networks
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development, acceptance and transition
A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
Requirement 1.1 - Firewall configuration standards
🔗 References & Sources 3
📦 Affected Products / CPE 6 entries
corosync:corosync:-
redhat:openshift:4.0
redhat:enterprise_linux:7.0
redhat:enterprise_linux:8.0
redhat:enterprise_linux:9.0
redhat:enterprise_linux:10.0