CVE-2025-30472 – Corosync versions through 3.1.9 contain a stack... (How to Fix)

Q: What is the severity of CVE-2025-30472?

CVE-2025-30472 has a CVSS score of 9.0 (CRITICAL). Corosync versions through 3.1.9 contain a stack-based buffer overflow vulnerability in the orf_token_endian_convert function when processing large UDP packets. This allows remote attackers to execute arbitrary code or crash the service if encryption is disabled or they know the encryption key. Systems using Corosync for cluster communication without proper encryption are primarily affected.

📋 TL;DR

Corosync versions through 3.1.9 contain a stack-based buffer overflow vulnerability in the orf_token_endian_convert function when processing large UDP packets. This allows remote attackers to execute arbitrary code or crash the service if encryption is disabled or they know the encryption key. Systems using Corosync for cluster communication without proper encryption are primarily affected.

💻 Affected Systems

Products:

Corosync

Versions: All versions through 3.1.9

Operating Systems: Linux distributions including Debian, Red Hat, Ubuntu, SUSE

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when encryption is disabled (crypto_cipher=none) or attacker knows the encryption key. Default configurations typically have encryption enabled.

📦 What is this software?

Corosync by Corosync

View all CVEs affecting Corosync →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete cluster compromise, data exfiltration, and lateral movement.

🟠

Likely Case

Service crash causing cluster failure and denial of service, potentially disrupting critical infrastructure.

🟢

If Mitigated

Limited impact if encryption is properly enabled with strong keys, though denial of service may still be possible.

🌐 Internet-Facing: HIGH if Corosync ports are exposed to untrusted networks without encryption.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and encryption configuration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted UDP packets to Corosync ports (typically 5404-5406). No authentication needed if encryption is disabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.10 or later

Vendor Advisory: https://github.com/corosync/corosync/issues/778

Restart Required: Yes

Instructions:

1. Check current version with 'corosync -v'. 2. Update via package manager: 'apt update && apt upgrade corosync' (Debian/Ubuntu) or 'yum update corosync' (RHEL/CentOS). 3. Restart Corosync service: 'systemctl restart corosync'. 4. Verify cluster health.

🔧 Temporary Workarounds

Enable Encryption

linux

Ensure Corosync encryption is enabled with strong keys to prevent exploitation

Edit /etc/corosync/corosync.conf
Set crypto_cipher: aes256
Set crypto_hash: sha256
Restart corosync: systemctl restart corosync

Network Segmentation

linux

Restrict access to Corosync ports using firewall rules

iptables -A INPUT -p udp --dport 5404:5406 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p udp --dport 5404:5406 -j DROP

🧯 If You Can't Patch

Enable strong encryption in Corosync configuration immediately
Implement strict network controls to limit UDP access to Corosync ports from trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Corosync version: 'corosync -v | grep version' and verify if ≤ 3.1.9. Check encryption status in /etc/corosync/corosync.conf for crypto_cipher setting.

Check Version:

corosync -v | grep version

Verify Fix Applied:

Verify version is 3.1.10 or later with 'corosync -v'. Confirm cluster is functioning with 'corosync-cfgtool -s'.

📡 Detection & Monitoring

Log Indicators:

Corosync service crashes in system logs
Unexpected segmentation faults in Corosync logs
Cluster membership changes without explanation

Network Indicators:

Large UDP packets (> typical size) to Corosync ports 5404-5406
Unusual traffic patterns to cluster nodes

SIEM Query:

source="corosync.log" AND ("segmentation fault" OR "buffer overflow" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2025-30472

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.21% exploit probability (43.7th percentile)

Published: March 22, 2025

Last Updated: November 3, 2025

🔗 References

https://corosync.org Product
https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677 Product
https://github.com/corosync/corosync/issues/778 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2025/09/msg00023.html
https://github.com/corosync/corosync/issues/778 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30472, you might also want to check these: