CVE-2025-30472
Published: 22 March 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-30472 is a stack-based buffer overflow vulnerability in the orf_token_endian_convert function located in exec/totemsrp.c of Corosync versions through 3.1.9. The flaw is triggered by a large UDP packet when encryption is disabled or the attacker knows the encryption key. It maps to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), published on 2025-03-22.
A remote network attacker without privileges or user interaction can exploit this vulnerability, though it requires high attack complexity, likely stemming from the encryption prerequisites. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability across the affected scope, potentially resulting in remote code execution.
Advisories point to mitigation via updates beyond Corosync 3.1.9. Key references include the Corosync project site at https://corosync.org, the vulnerable code at https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677, GitHub issue #778 at https://github.com/corosync/corosync/issues/778, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/09/msg00023.html detailing backported fixes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in Corosync's UDP-based totem protocol handler (remote service) directly enables remote code execution via exploitation of remote services.