Two vulnerabilities in exec/totemsrp.c (current HEAD commit ee28d8f). Both pre-auth in totemudp/totemudpu mode. Different from CVE-2025-30472. BUG 1 - CWE-393: check_memb_commit_token_sanity() returns 0 instead of -1 when msg_len < sizeof(struct memb_commit_token). Compare with check_orf_token_sanity() which correctly returns -1. This allows message_handler_memb_commit_token() to process a truncated message causing heap-buffer-overflow READ. ASAN confirmed. Fix: change return (0) to return (-1) at ~line 3814. BUG 2 - CWE-190: In check_memb_join_sanity() ~line 3789, (proc_list_entries + failed_list_entries) wraps in uint32 before size_t promotion. With proc=0x80000000 + failed=0x80000000, sum=0, bypassing bounds check. Fix: cast to size_t before addition. ASAN harnesses will be attached after submission. Reproducible: Always Steps to Reproduce: 1. gcc -fsanitize=address,undefined -g -O0 harness_bug1_minimal.c -o harness_bug1 2. ./harness_bug1 3. Observe ASAN heap-buffer-overflow READ Actual Results: ASAN reports heap-buffer-overflow READ of size 4, 21 bytes past allocation Expected Results: check_memb_commit_token_sanity should return -1 and reject the short message Additional Information: Reporter: Sebastian Alba Vives (@Sebasteuo / 0xS4bb1) Contact: sebasjosue84 90-day disclosure deadline: June 28, 2026. Requesting separate CVE assignments for each vulnerability. Also reported to jfriesse and secalert. CVSS Bug 1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) CVSS Bug 2: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Created attachment 2135489 [details] PoC for Bug 1: ASAN heap-buffer-overflow in check_memb_commit_token_sanity
Created attachment 2135490 [details] Integer overflow bypass in check_memb_join_sanity
Created attachment 2135491 [details] ASAN output confirming OOB read
Created attachment 2135493 [details] Output confirming integer overflow
FEDORA-2026-e34a334e81 (corosync-3.1.10-5.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-e34a334e81
FEDORA-2026-ee4ff58256 (corosync-3.1.10-2.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-ee4ff58256
FEDORA-2026-95ee0edcd5 (corosync-3.1.9-4.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-95ee0edcd5
FEDORA-2026-95ee0edcd5 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-95ee0edcd5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-95ee0edcd5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-ee4ff58256 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-ee4ff58256` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-ee4ff58256 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-e34a334e81 has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-e34a334e81` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-e34a334e81 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-ee4ff58256 (corosync-3.1.10-2.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.