Platform
linux
Component
coturn
Fixed in
4.10.1
CVE-2026-40613 affects Coturn, a widely used open-source implementation of TURN and STUN servers. This vulnerability allows an unauthenticated remote attacker to trigger a Denial of Service (DoS) condition, effectively crashing the server. The issue stems from unsafe memory handling during STUN message parsing on ARM64 architectures. The vulnerability is resolved in version 4.10.0.
The primary impact of CVE-2026-40613 is a complete denial of service. An attacker can send a specially crafted STUN message to any vulnerable Coturn instance running on an ARM64 (AArch64) architecture, causing the turnserver process to terminate abruptly with a SIGBUS signal. This results in the immediate unavailability of the TURN/STUN services provided by the server. Given the role of TURN/STUN servers in enabling NAT traversal for real-time communication applications (like VoIP, video conferencing, and online gaming), this DoS can disrupt critical communication flows. The blast radius extends to any application relying on the affected Coturn server for NAT traversal, potentially impacting a large number of users. The ease of exploitation, requiring only a single crafted message, makes this a significant concern.
CVE-2026-40613 was published on 2026-04-21. The vulnerability's impact is considered high due to the ease of exploitation and the potential for widespread disruption. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be assessed as medium, reflecting the potential for exploitation given the relatively simple attack vector and the prevalence of ARM64 architectures. It is not currently listed on KEV (Known Exploited Vulnerabilities).
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2026-40613 is to upgrade Coturn to version 4.10.0 or later. This version contains the necessary fixes to prevent the unsafe memory access. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the crafted message, carefully inspecting STUN message attributes for unusual alignment patterns might offer limited protection. Monitor system logs for SIGBUS signals originating from the turnserver process, which can indicate exploitation attempts. After upgrading, confirm the fix by sending a test STUN message with a potentially problematic attribute alignment and verifying that the server does not crash.
Actualice a la versión 4.10.0 o posterior de Coturn para mitigar la vulnerabilidad. Esta actualización corrige el problema de acceso a memoria desalineada en el analizador de atributos STUN, previniendo así el posible fallo del servidor TURN en arquitecturas ARM64.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Denial of Service (DoS) vulnerability in Coturn, a STUN/TURN server, allowing attackers to crash the server with a crafted message.
If you're running Coturn versions 0.0.0 through 4.9.9 on an ARM64 architecture, you are potentially vulnerable.
Upgrade Coturn to version 4.10.0 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade isn't possible.
As of now, there are no publicly known exploits or active campaigns targeting this vulnerability, but vigilance is advised.
Refer to the official Coturn project website and the NVD entry for CVE-2026-40613 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.