CVE Catalog

CVE-2026-43994

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile - higher than 36% of all known CVEs

Summary

In Coturn prior to version 4.10.0, a stack buffer overflow exists in decode_oauth_token_gcm(). An attacker can supply an OAuth token with a nonce_len field up to 65535, which is directly used in memcpy() to copy data into a 256-byte stack buffer, causing up to 735 bytes to be written past the buffer. The overflow occurs before AES-GCM authentication is verified, so the attacker does not need the OAuth key or a valid token.

Risk Assessment

This vulnerability may enable remote code execution (RCE) in --oauth mode, which is commonly recommended for WebRTC TURN/STUN. Due to Coturn's widespread deployment, the risk to organizations is significant, especially without proper memory protections.

Recommendation

Immediately update Coturn to version 4.10.0 or later. If an update is not possible, consider disabling --oauth mode until the patch is applied.

Original NVD description (English source)

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS