Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

INFO

Published Date :

2026-04-21T18:00:53.342Z

Last Modified :

2026-04-21T20:36:46.136Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40613 vulnerability.

Vendors Products
Coturn
  • Coturn
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40613.

URL Resource
https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact