CVE-2026-40613
published 2026-04-21CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.12%
62.2th percentile
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coturn | coturn | < 4.10.0 | 4.10.0 |
| coturn_project | coturn | < 4.10.0 | 4.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
bugzilla·2026-04-21·CVSS 7.5
CVE-2026-40613 [HIGH] CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.
Bugzilla
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [epel-all]
bugzilla·2026-04-21·CVSS 7.5
CVE-2026-40613 [HIGH] CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [epel-all]
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-8022001aef (coturn-4.10.0-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8022001aef
---
FEDORA-EPEL-2026-5e71b7731b (coturn-4.10.0-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-5e71b7731b
---
FEDORA-EPEL-2026-63737a3630 (coturn-4.10.0-1.el10_1) has been submitted as an updat
Bugzilla
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [fedora-all]
bugzilla·2026-04-21·CVSS 7.5
CVE-2026-40613 [HIGH] CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [fedora-all]
CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-1c11dc3e37 (coturn-4.10.0-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1c11dc3e37
---
FEDORA-2026-1adc5f1ef8 (coturn-4.10.0-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1adc5f1ef8
---
FEDORA-2026-e673311164 (coturn-4.10.0-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject
2026-04-21
Published