Description
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.
Published: 2026-06-18
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Coturn, an open-source TURN/STUN server, has a stack buffer overflow in the decode_oauth_token_gcm() routine. An attacker can supply an OAuth access token whose nonce_len field, read as a 16‑bit integer, controls the length passed to memcpy(). Because the code copies up to 65535 bytes into a fixed 256‑byte buffer without bounds checking, up to 735 bytes of attacker‑controlled data may overwrite adjacent stack memory. This corruption can include control‑flow information, potentially allowing remote code execution. The overflow occurs before the AES‑GCM authentication check, so the attacker does not need to know the OAuth key or produce a valid token.

Affected Systems

The vulnerability affects vendors in the coturn:coturn package. All releases older than version 4.10.0 are vulnerable. Servers that have the --oauth mode enabled are susceptible; the mode is not enabled by default but is commonly recommended for secure TURN deployment.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. No EPSS score is available, and it is not listed in CISA KEV. The flaw requires that the TURN server is running with --oauth enabled and that an attacker can send a crafted OAuth token. Because the vulnerability does not rely on an AES‑GCM signature, it can be triggered with a simple HTTP request. Successful exploitation depends on mitigations such as stack canaries, ASLR, and compiler hardening; if such protections are absent or ineffective, a crafted payload could hijack control flow and achieve remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade coturn to version 4.10.0 or later to apply the vendor patch.
  • If the TURN server does not require OAuth authentication, disable the --oauth mode to eliminate the vulnerable code path.
  • Restrict access to the TURN/STUN service using network controls or firewalls to limit interactions to trusted clients only.

Generated by OpenCVE AI on June 18, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Coturn
Coturn coturn
Vendors & Products Coturn
Coturn coturn

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.
Title Coturn: Stack buffer overflow in decode_oauth_token_gcm()
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Coturn Coturn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:44:46.575Z

Reserved: 2026-05-04T20:24:31.917Z

Link: CVE-2026-43994

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')