Bug#1140563: coturn: CVE-2026-43994
Salvatore Bonaccorso
carnil at debian.org
Mon Jun 22 20:03:06 BST 2026
Source: coturn
Version: 4.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for coturn.
CVE-2026-43994[0]:
| Coturn is a free open source implementation of TURN and STUN Server.
| Versions prior to 4.10.0 contain a stack buffer overflow in
| decode_oauth_token_gcm(). A uint16_t nonce_len field read from an
| attacker-supplied OAuth access token (0-65535) is passed directly to
| memcpy() as the copy length into a 256-byte stack buffer
| (oauth_encrypted_block.nonce[256]) without bounds checking. The
| overflow occurs before AES-GCM authentication is verified, the
| attacker does not need to know the OAuth key or produce a valid AES-
| GCM token. Up to 735 bytes of attacker-controlled data are written
| past the buffer, may corrupt adjacent stack data, including control-
| flow data depending on compiler, ABI, and mitigations. Requires
| --oauth mode (non-default). This may provide a plausible RCE
| primitive depending on exploit mitigations; because coturn is widely
| deployed for WebRTC TURN/STUN and --oauth is commonly recommended,
| impact can be broad. This issue has been fixed in version 4.10.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43994
https://www.cve.org/CVERecord?id=CVE-2026-43994
[1] https://github.com/coturn/coturn/security/advisories/GHSA-74pg-rfh2-5qw5
[2] https://github.com/coturn/coturn/commit/5ca467e70915c033f371cd7a9742759c68f56363
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list