CVE-2026-43994
published 2026-06-18CVE-2026-43994: Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.45%
35.9th percentile
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coturn | coturn | < 4.10.0 | 4.10.0 |
| coturn_project | coturn | < 4.10.0 | 4.10.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the vulnerable function decode_oauth_token_gcm() in coturn versions prior to 4.10.0; look for oversized nonce_len values (uint16_t, 0–65535) in OAuth access tokens being processed by a TURN/STUN server ↗
- →The overflow occurs before AES-GCM authentication is verified, so any malformed/unauthenticated OAuth token with a large nonce_len field sent to a coturn instance running --oauth mode is a potential exploit attempt — no valid key required ↗
- →Monitor coturn processes for stack corruption signals (crashes, segfaults, unexpected exits) on TURN/STUN ports when --oauth mode is enabled, as up to 735 bytes of attacker-controlled data can be written past the buffer ↗
- →Flag coturn deployments running with the --oauth command-line flag as in-scope for this vulnerability; --oauth is described as commonly recommended despite being non-default ↗
- ·Vulnerability only affects coturn instances explicitly started with the --oauth flag; default deployments without --oauth are not vulnerable ↗
- ·Exploitability and RCE reliability depend on compiler, ABI, and deployed exploit mitigations (e.g., stack canaries, ASLR, NX); not universally exploitable to RCE ↗
- ·Fixed in coturn version 4.10.0; all prior versions are affected ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
2026-06-18
Published