What is the CVSS score of CVE-2026-40613?

CVE-2026-40613 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Coturn are affected by CVE-2026-40613?

CVE-2026-40613 affects Coturn TURN/STUN servers deployed on ARM64 architecture, enabling unauthenticated remote attackers to crash the service with a single malformed network packet.. A patch is available.

How to fix or mitigate CVE-2026-40613?

Within 24 hours: Identify all ARM64-based Coturn deployments in your infrastructure and document their version numbers and network exposure. Within 7 days: Implement network-layer filtering on UDP ports used by Coturn (typically 3478-3479) to restrict traffic to trusted sources only, and deploy monitoring for abnormal process crashes. Within 30 days: Migrate affected ARM64 deployments to x86-64 architecture if operationally feasible, or maintain continuous vendor advisory monitoring for Coturn 4.10.0+ patch availability.

Coturn CVE-2026-40613

EUVD-2026-24228 HIGH

Incorrect Type Conversion or Cast (CWE-704)

2026-04-21 GitHub_M

Denial Of Service Coturn

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 24, 2026 - 13:41 nvd

Patch available

Re-analysis Queued

Apr 21, 2026 - 21:22 vuln.today

cvss_changed

Patch available

Apr 21, 2026 - 20:02 EUVD

Analysis Generated

Apr 21, 2026 - 19:46 vuln.today

EUVD ID Assigned

Apr 21, 2026 - 19:00 euvd

EUVD-2026-24228

Analysis Generated

Apr 21, 2026 - 19:00 vuln.today

CVE Published

Apr 21, 2026 - 18:00 nvd

HIGH 7.5

DescriptionGitHub Advisory

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

AnalysisAI

Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Network reconnaissance identifies ARM64 Coturn instance

Delivery

Craft STUN message with odd-aligned attribute boundaries

Exploit

Send malformed UDP packet to port 3478

Execution

Trigger misaligned pointer dereference in ns_turn_msg.c

Persist

SIGBUS signal terminates turnserver process

Impact

Denial of service disrupts active TURN sessions

Access

Network reconnaissance identifies ARM64 Coturn instance

Delivery

Craft STUN message with odd-aligned attribute boundaries

Exploit

Send malformed UDP packet to port 3478

Execution

Trigger misaligned pointer dereference in ns_turn_msg.c

Persist

SIGBUS signal terminates turnserver process

Impact

Denial of service disrupts active TURN sessions

Vulnerability AssessmentAI

Exploitation	Requires Coturn deployment running on ARM64 (AArch64) architecture with strict alignment enforcement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This represents a high-severity availability threat with extremely low exploitation complexity against a specific architectural deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies an ARM64-based Coturn server exposed on the public internet, typically through banner grabbing on UDP port 3478 or by observing WebRTC infrastructure in browser developer tools. The attacker crafts a STUN Binding Request message with attribute boundaries positioned at odd byte offsets, violating 16-bit alignment requirements for ARM64 memory access. …
Remediation	Upgrade Coturn to version 4.10.0 or later, which includes fixes for unsafe pointer casting in STUN attribute parsing functions. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ARM64-based Coturn deployments in your infrastructure and document their version numbers and network exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40613 vulnerability details – vuln.today

Back

Coturn CVE-2026-40613

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code