CVE-2026-40613

HIGH 7.5

Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

CWE	CWE-704
Vendor	coturn
Product	coturn
Published	Apr 21, 2026
Last Updated	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for coturn coturn

Be the first to know when new high vulnerabilities affecting coturn coturn are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

coturn / coturn

< 4.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36