Critical Corosync Flaw: How to Secure Your Linux Cluster (Even If You Can’t Update Now)

 

One UDP packet crashes your Corosync cluster. Check, patch, or firewall it. Commands for Ubuntu, Rocky, SUSE + bash script .

Historical context: In April 2026, a security update was released for Fedora 42 addressing two Corosync vulnerabilities (CVE-2026-35091 and CVE-2026-35092). But the issue isn’t about Fedora or that specific date — it’s about how any cluster using Corosync could be knocked offline by a single malicious UDP packet.

This guide will help you check, fix, and harden your Corosync setup today and for years to come.

What’s the real risk?

Corosync is the engine behind high-availability clusters (think Pacemaker, Red Hat HA, or any custom failover setup). The two flaws:

• CVE-2026-35091: Pre-authentication out-of-bounds read → crash → denial of service.

• CVE-2026-35092: Integer overflow in join message validation → crash again.

An attacker on your network (or spoofing a trusted node) can send one crafted UDP packet and take down your whole cluster heartbeat. No login, no advanced exploit.

How to check if you are vulnerable

Run these commands on each cluster node.

Ubuntu 22.04 / 24.04

bash

dpkg -l | grep corosync
# Vulnerable versions: < 3.1.9-4 (or any 3.1.8.x)
corosync -v

Rocky Linux / AlmaLinux 8, 9 

bash

rpm -q corosync
# Vulnerable: corosync-3.1.8-* or earlier
corosync -v

SUSE Linux Enterprise Server SLES 15

bash

zypper info corosync | grep Version
# Check if version is below 3.1.9-4

Universal check (all distros)

bash

# See if your node listens for cluster traffic (default port 5405 UDP)
ss -lunp | grep 5405
# If you see corosync, you are exposed.

Automation script to apply the fix

Save this as fix-corosync.sh and run as root on each node (one at a time, keep quorum).

bash

#!/bin/bash
# Corosync vulnerability fix - CVE-2026-35091 / CVE-2026-35092
# Works on Ubuntu, Rocky, SUSE

set -e

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 
   exit 1
fi

echo "Checking current corosync version..."
corosync -v

# Detect distro
if command -v apt &> /dev/null; then
    echo "Ubuntu/Debian detected"
    apt update
    apt install -y corosync
elif command -v dnf &> /dev/null; then
    echo "RHEL/Rocky/Fedora detected"
    dnf update corosync -y
elif command -v zypper &> /dev/null; then
    echo "SUSE detected"
    zypper refresh
    zypper update -y corosync
else
    echo "Unsupported distro. Please update corosync manually."
    exit 1
fi

echo "New version installed:"
corosync -v

echo "Restarting corosync service..."
systemctl restart corosync
systemctl status corosync --no-pager

echo "✅ Fix applied. Test cluster failover before returning to production."

Run it:

bash

chmod +x fix-corosync.sh
./fix-corosync.sh

Alternative mitigation (if you can’t update now)

Sometimes you can’t reboot or upgrade. Use these immediate workarounds.

1. iptables / nftables – limit UDP to trusted peers only

On each node, identify your cluster peers’ IPs (from /etc/corosync/corosync.conf). Then:

bash

# iptables example (replace 192.168.1.10 and 192.168.1.11)
iptables -A INPUT -p udp --dport 5405 -m state --state NEW -m recent --set
iptables -A INPUT -p udp --dport 5405 -m state --state NEW -m recent --update --seconds 1 --hitcount 3 -j DROP
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -s 192.168.1.11 -j ACCEPT
iptables -A INPUT -p udp --dport 5405 -j DROP

Save with iptables-save > /etc/iptables/rules.v4 (distro-dependent).

2. Move corosync to a separate, firewalled VLAN

No patch? Airgap the cluster control network. No external UDP packets reach port 5405 except from explicitly listed nodes.

3. Use AppArmor/SELinux to restrict corosync binary

Temporarily enforce that corosync cannot exec other processes – this won’t stop the crash but reduces post-crash risk.

On Ubuntu with AppArmor:

bash

aa-genprof corosync
# Then set to "enforce"

Suggested reading :

Linux High Availability and Clustering  - Amazon 

gives you step-by-step guidance on configuring Corosync, Pacemaker, DRBD, and HAProxy . It covers:

• Cluster node configuration and automatic failover

• Fencing techniques to maintain consistency

• Shared storage with NFS, iSCSI, and DRBD

• Load balancing with HAProxy

• Database clustering (MariaDB Galera, PostgreSQL with Patroni)

Final checklist – save this

• Run corosync -v on every node.

• Compare with fixed version (3.1.9-4 or newer).

• Apply script or manual update.

• If no update possible, apply iptables rules.

• Test failover: killall corosync on one node, watch resources move.

• Monitor logs: journalctl -u corosync -f