Remote code execution in Corosync

Published: 2025-03-26

Risk	Medium
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2025-30472
CWE-ID	CWE-121
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	corosync Server applications / Frameworks for developing and running applications
Vendor	corosync

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Stack-based buffer overflow

EUVDB-ID: #VU106058

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-30472

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in orf_token_endian_convert() function in exec/totemsrp.c. A remote attacker can send an overly large UDP packet to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability requires that encryption is disabled.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

corosync: 0.90 - 3.1.9

CPE2.3

External links

https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677
https://github.com/corosync/corosync/issues/778
https://github.com/advisories/GHSA-4q2r-xgxr-vvqm

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.