7.5
CVE-2026-40613
- EPSS 0.19%
- Veröffentlicht 21.04.2026 18:00:53
- Zuletzt bearbeitet 24.04.2026 13:41:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCoturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Coturn Project ≫ Coturn Version < 4.10.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.408 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-704 Incorrect Type Conversion or Cast
The product does not correctly convert an object, resource, or structure from one type to a different type.