Memory Misalignment Vulnerability in Coturn Server
CVE-2026-40613

7.5HIGH

Key Information:

Vendor: Coturn
Status: Coturn
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40613?

The Coturn Server, an open source TURN and STUN implementation, is vulnerable due to improper handling of pointers within its attribute parsing functions. Specifically, prior to version 4.10.0, these functions executed unsafe casts from uint8_t * to uint16_t * without ensuring memory alignment. This flaw allows a remote attacker, through a specially crafted STUN message with misaligned attributes, to trigger misaligned memory reads. On ARM64 architectures where strict alignment is enforced, this condition leads to a SIGBUS signal, resulting in the immediate crash of the turnserver process. This vulnerability can be exploited by sending a single malicious UDP packet, affecting the stability of Coturn deployments on ARM64 systems.

Affected Version(s)

coturn < 4.10.0

References

https://github.com/coturn/coturn/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40613 Data

JSON