ALAS2023-2026-1560

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1560
Advisory Released Date: 2026-04-13
Advisory Updated Date: 2026-04-13

Severity: Important

References: CVE-2026-35091 CVE-2026-35092
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration. (CVE-2026-35091)

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode. (CVE-2026-35092)

Affected Packages:

corosync

Issue Correction:
Run dnf update corosync --releasever 2023.11.20260413 or dnf update --advisory ALAS2023-2026-1560 --releasever 2023.11.20260413 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    corosync-debuginfo-3.1.9-3.amzn2023.0.2.aarch64
    corosync-vqsim-debuginfo-3.1.9-3.amzn2023.0.2.aarch64
    corosync-debugsource-3.1.9-3.amzn2023.0.2.aarch64
    corosync-3.1.9-3.amzn2023.0.2.aarch64
    corosynclib-debuginfo-3.1.9-3.amzn2023.0.2.aarch64
    corosync-vqsim-3.1.9-3.amzn2023.0.2.aarch64
    corosynclib-3.1.9-3.amzn2023.0.2.aarch64
    corosynclib-devel-3.1.9-3.amzn2023.0.2.aarch64

src:
    corosync-3.1.9-3.amzn2023.0.2.src

x86_64:
    corosync-debuginfo-3.1.9-3.amzn2023.0.2.x86_64
    corosynclib-3.1.9-3.amzn2023.0.2.x86_64
    corosync-debugsource-3.1.9-3.amzn2023.0.2.x86_64
    corosync-3.1.9-3.amzn2023.0.2.x86_64
    corosync-vqsim-debuginfo-3.1.9-3.amzn2023.0.2.x86_64
    corosynclib-debuginfo-3.1.9-3.amzn2023.0.2.x86_64
    corosync-vqsim-3.1.9-3.amzn2023.0.2.x86_64
    corosynclib-devel-3.1.9-3.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-35091, CVE-2026-35092

Mitre: CVE-2026-35091, CVE-2026-35092