DEBIAN-CVE-2026-40613
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-40613
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40613.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-40613
- Upstream
- Published
- 2026-04-21T19:16:17.743Z
- Modified
- 2026-05-22T16:01:24.717035011Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8t * to uint16t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at nsturnmsg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.
- References
Affected packages
Debian:11 / coturn
Package
- Name
- coturn
- Purl
- pkg:deb/debian/coturn?arch=source&distro=bullseye
Debian:12 / coturn
Package
- Name
- coturn
- Purl
- pkg:deb/debian/coturn?arch=source&distro=bookworm
Debian:13 / coturn
Package
- Name
- coturn
- Purl
- pkg:deb/debian/coturn?arch=source&distro=trixie