Debian and Freexian have released urgent security advisories addressing critical flaws in both the Ceph distributed storage platform and the Corosync cluster engine. The Ceph update resolves multiple vulnerabilities that could enable privilege escalation or information disclosure across several distribution branches. Meanwhile, the Corosync patch fixes two distinct network weaknesses that allow unauthenticated attackers to trigger denial of service attacks using crafted UDP packets. Administrators should apply these package upgrades immediately and consult official security trackers for comprehensive version details.

[DSA 6321-1] ceph security update
ELA-1746-1 corosync security update

[SECURITY] [DSA 6321-1] ceph security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6321-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 03, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ceph
CVE ID : CVE-2024-31884 CVE-2024-47866 CVE-2025-52555
Debian Bug : 1108410 1120797 1126573

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system, which may result in privilege escalation, denial of
service or information disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 16.2.15+ds-0+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 18.2.7+ds-1+deb13u1.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1746-1 corosync security update (by )

Package : corosync


Version : 2.4.2-3+deb9u3 (stretch), 3.0.1-2+deb10u3 (buster)


Related CVEs :

CVE-2026-35091

CVE-2026-35092



Two vulnerabilities have been found in corosync, a cluster engine daemon and
utilities, that allow a remote, unauthenticated attacker to cause a denial of
service.
CVE-2026-35091
A remote unauthenticated attacker can exploit a wrong return value
vulnerability in the Corosync membership commit token sanity check by
sending a specially crafted User Datagram Protocol (UDP) packet. This can
lead to an out-of-bounds read, causing a denial of service (DoS) and
potentially disclosing limited memory contents.

CVE-2026-35092
An integer overflow vulnerability in Corosync's join message sanity
validation allows a remote, unauthenticated attacker to send crafted User
Datagram Protocol (UDP) packets. This can cause the service to crash,
leading to a denial of service.

ELA-1746-1 corosync security update (by )