Coturn
Monthly
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. All ARM64 installations of Coturn prior to 4.10.0 are vulnerable to instant process termination. EPSS exploitation probability is not yet available as this is a newly disclosed CVE, but the attack complexity is low (AC:L) and requires no privileges (PR:N), making exploitation trivial once awareness spreads in attacker communities.
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. All ARM64 installations of Coturn prior to 4.10.0 are vulnerable to instant process termination. EPSS exploitation probability is not yet available as this is a newly disclosed CVE, but the attack complexity is low (AC:L) and requires no privileges (PR:N), making exploitation trivial once awareness spreads in attacker communities.
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.