PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43994 coturn CVE debrief

Coturn, a free open-source implementation of TURN and STUN Server, is vulnerable to a stack buffer overflow in decode_oauth_token_gcm(). This issue allows an attacker to write up to 735 bytes of controlled data past a 256-byte stack buffer, potentially corrupting adjacent stack data, including control-flow data. The vulnerability exists in versions prior to 4.10.0 and is exploitable in --oauth mode, which is a non-default setting but commonly recommended for WebRTC TURN/STUN deployments. Successful exploitation could provide a remote code execution (RCE) primitive depending on the system's mitigations.

Vendor
coturn
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

Organizations using Coturn for WebRTC TURN/STUN services, especially those with --oauth mode enabled, should prioritize patching. This vulnerability has a high CVSS score of 8.1 and could lead to broad impact due to Coturn's widespread deployment.

Technical summary

The vulnerability arises from a uint16_t nonce_len field read from an attacker-supplied OAuth access token being passed directly to memcpy() as the copy length into a 256-byte stack buffer without bounds checking. This occurs before AES-GCM authentication is verified, meaning the attacker does not need to know the OAuth key or produce a valid AES-GCM token. The issue has been fixed in version 4.10.0.

Defensive priority

high

Recommended defensive actions

  • Immediately upgrade Coturn to version 4.10.0 or later.
  • Disable --oauth mode if not required.
  • Implement additional security measures such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) if not already in place.
  • Monitor Coturn installations for suspicious activity.
  • Consider using alternative TURN/STUN servers that do not have this vulnerability.
  • Review and enhance network segmentation to limit the potential impact of a successful exploit.

Evidence notes

The information provided is based on the CVE-2026-43994 record and related sources. The vulnerability details and impact are derived from the official CVE description and NVD data. The fix in version 4.10.0 is confirmed via the Coturn GitHub release notes.

Official resources

public