Bug 2460213 (CVE-2026-40613)

Summary: CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in coturn, an open-source implementation of TURN and STUN servers. Unsafe pointer casts in the STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) attribute parsing functions can lead to misaligned memory reads. An unauthenticated remote attacker can exploit this by sending a single crafted UDP packet. This can cause the `turnserver` process to crash on ARM64 architectures, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2460215, 2460216    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-21 19:01:52 UTC 
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.