CVE-2026-40613 - Vulnerability Details

- Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)

Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Published: 2026-04-21

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Coturn’s STUN/TURN attribute parsing performs unsafe pointer casts (CWE‑704), allowing a crafted UDP packet with odd‑aligned attributes to trigger a misaligned memory read on ARM64. The resulting SIGBUS kills the turnserver process, causing a denial of service to all clients. The flaw is exploitable by an unauthenticated remote attacker and requires no authentication or privileged input.

Affected Systems

The vulnerability affects coturn servers running any version prior to 4.10.0 on ARM64 (AArch64) hardware. All coturn installations exposing the default TURN/STUN port are at risk when deployed on this architecture.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate‑to‑severe risk. No exploitation probability score has been published, and the vulnerability is not listed in the CISA KEV catalog, but the very small attack surface and the single‑packet requirement suggest a high likelihood of exploitation in targeted deployments, based on inference from the description. Because the attack originates from a raw UDP packet, it can be carried out remotely without authentication, making quick service disruption possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

coturn

affected

Version	Status	Constraints
`< 4.10.0`	affected	—

No data.

Vendor Product Confidence Versions

Coturn

100%

Version	Status	Scheme	Platform
`[0,4.10.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade coturn to version 4.10.0 or newer.
If an upgrade is not immediately feasible, restrict inbound STUN/TURN UDP (usually port 3478) to known, trusted hosts via firewall rules.
Continuously monitor system logs for SIGBUS events and ensure the server is restarted promptly after any crash.

Generated by OpenCVE AI on April 22, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36

History

Wed, 22 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Coturn Coturn coturn
Vendors & Products		Coturn Coturn coturn

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.
Title		Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)
Weaknesses		CWE-704
References		https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Coturn Coturn

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T18:00:53.342Z

Updated: 2026-04-21T20:36:46.136Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40613

Vulnrichment

Updated: 2026-04-21T19:54:42.131Z

NVD

Status : Received

Published: 2026-04-21T19:16:17.743

Modified: 2026-04-21T21:16:42.843

Link: CVE-2026-40613

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses

CWE-704

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object