Skip to main content

Coturn CVE-2026-43994

| EUVDEUVD-2026-37941 CRITICAL
Classic Buffer Overflow (CWE-120)
2026-06-18 GitHub_M
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Pre-auth remote overflow before the AES-GCM check gives AV:N/AC:L/PR:N/UI:N; impacts set High for the plausible RCE primitive, since the --oauth dependency is environmental rather than a base metric.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 02:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 02:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 02:37 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 02:37 NVD
HIGH CRITICAL
CVSS changed
Jun 26, 2026 - 02:37 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Patch available
Jun 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:45 vuln.today
Analysis Generated
Jun 18, 2026 - 20:45 vuln.today

DescriptionNVD

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.

AnalysisAI

Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers corrupt the server stack in all versions prior to 4.10.0. An attacker-controlled uint16_t nonce_len value (up to 65535) read from an OAuth access token is passed straight into memcpy() against a 256-byte stack buffer before any AES-GCM authentication, so no OAuth key or valid token is required to write up to 735 bytes past the buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach OAuth-enabled TURN listener
Delivery
Send crafted OAuth access token
Exploit
Oversized nonce_len passed to memcpy()
Execution
Overflow 256-byte stack nonce buffer
Persist
Corrupt adjacent stack/control-flow data
Impact
Crash service or execute code

Vulnerability AssessmentAI

Exploitation The server MUST be running in --oauth mode (explicitly noted as non-default) for the vulnerable decode_oauth_token_gcm() path to be reachable - this is the single hard prerequisite and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-facing Coturn server running in --oauth mode crafts a malformed OAuth access token whose embedded nonce_len field is set far above 256, then sends it during a TURN authentication exchange. Coturn copies the oversized nonce into a 256-byte stack buffer before verifying the AES-GCM tag, overflowing it by up to 735 bytes of attacker-controlled data and corrupting adjacent stack/control-flow data - yielding at minimum a remote crash (DoS) and potentially code execution depending on stack mitigations. …
Remediation Vendor-released patch: 4.10.0 - upgrade Coturn to 4.10.0 or later, which contains the fix titled 'Fix stack buffer overflow in OAuth token decoding' (PR #1850) per the release notes (https://github.com/coturn/coturn/releases/tag/4.10.0); review advisory GHSA-74pg-rfh2-5qw5 for details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Coturn deployments to identify instances running with the --oauth flag enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-43994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy