cbcvebase.
CVE-2026-43994
published 2026-06-18

CVE-2026-43994: Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.45%
35.9th percentile
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
coturncoturn< 4.10.04.10.0
coturn_projectcoturn< 4.10.04.10.0

Detection & IOCsextracted from sources · hover to see the quote

  • Target the vulnerable function decode_oauth_token_gcm() in coturn versions prior to 4.10.0; look for oversized nonce_len values (uint16_t, 0–65535) in OAuth access tokens being processed by a TURN/STUN server
  • The overflow occurs before AES-GCM authentication is verified, so any malformed/unauthenticated OAuth token with a large nonce_len field sent to a coturn instance running --oauth mode is a potential exploit attempt — no valid key required
  • Monitor coturn processes for stack corruption signals (crashes, segfaults, unexpected exits) on TURN/STUN ports when --oauth mode is enabled, as up to 735 bytes of attacker-controlled data can be written past the buffer
  • Flag coturn deployments running with the --oauth command-line flag as in-scope for this vulnerability; --oauth is described as commonly recommended despite being non-default
  • ·Vulnerability only affects coturn instances explicitly started with the --oauth flag; default deployments without --oauth are not vulnerable
  • ·Exploitability and RCE reliability depend on compiler, ABI, and deployed exploit mitigations (e.g., stack canaries, ASLR, NX); not universally exploitable to RCE
  • ·Fixed in coturn version 4.10.0; all prior versions are affected
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.