Bug#1134577: coturn: CVE-2026-40613 remote DoS on ARM64 via misaligned STUN attribute parsing
James
james_montgomery at disroot.org
Wed Apr 22 00:00:55 BST 2026
Package: src:coturn
Version: 4.6.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: team at security.debian.org
Hi,
The security tracker currently lists coturn as unfixed for
CVE-2026-40613:
https://security-tracker.debian.org/tracker/CVE-2026-40613
Upstream advisory:
https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36
The advisory describes a pre-authentication remote denial of service on
ARM64/AArch64 systems. coturn's STUN/TURN attribute parsing performs
unsafe casts from uint8_t * to uint16_t * without alignment checks. A
crafted STUN packet with misaligned attributes can trigger a SIGBUS and
terminate turnserver on strict-alignment architectures. The advisory
rates this as high severity, CVSS 7.5, and lists patched version 4.10.0.
Debian currently has:
bullseye: 4.5.2-3
bookworm: 4.6.1-1
trixie/forky/sid: 4.6.1-2
I checked the current sid source, 4.6.1-2. The vulnerable unsafe casts
are present in src/client/ns_turn_msg.c, including:
stun_attr_get_len:
return (int)(nswap16(((const uint16_t*)attr)[1]));
stun_attr_get_value:
int len = (int)(nswap16(((const uint16_t*)attr)[1]));
stun_get_requested_address_family:
int len = (int) (nswap16(((const uint16_t*)attr)[1]));
Upstream changed this code to use memcpy instead of direct uint16_t
pointer dereferences:
https://github.com/coturn/coturn/commit/eaa9e7920e98cd10d24ade07f474ddb4e05dc1ea
Regards,
James
More information about the Pkg-voip-maintainers
mailing list