{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T14:07:59.642Z", "datePublished": "2026-04-21T18:00:53.342Z", "dateUpdated": "2026-04-21T20:36:46.136Z"}, "containers": {"cna": {"title": "Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)", "problemTypes": [{"descriptions": [{"cweId": "CWE-704", "lang": "en", "description": "CWE-704: Incorrect Type Conversion or Cast", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36"}], "affected": [{"vendor": "coturn", "product": "coturn", "versions": [{"version": "< 4.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:00:53.342Z"}, "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0."}], "source": {"advisory": "GHSA-j662-9wcj-mf36", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:54:32.854613Z", "id": "CVE-2026-40613", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:46.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40613", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:54:32.854613Z"}}}], "references": [{"url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:54:42.131Z"}}], "cna": {"title": "Coturn: Misaligned Memory Access in coturn STUN Attribute Parser (Remote DoS on ARM64)", "source": {"advisory": "GHSA-j662-9wcj-mf36", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "coturn", "product": "coturn", "versions": [{"status": "affected", "version": "< 4.10.0"}]}], "references": [{"url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36", "name": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-704", "description": "CWE-704: Incorrect Type Conversion or Cast"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:00:53.342Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40613", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:46.136Z", "dateReserved": "2026-04-14T14:07:59.642Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T18:00:53.342Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:*", "matchCriteriaId": "85DBA1D9-6569-4125-AA06-D066B094A1B1", "versionEndExcluding": "4.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0."}], "id": "CVE-2026-40613", "lastModified": "2026-04-24T13:41:41.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:17.743", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-704"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "coturn", "source": "cna", "vendor": "coturn"}, "product": "coturn", "vendor": "coturn"}], "analysis": {"en": {"generated_at": "2026-04-22T07:15:16.921538+00:00", "value": {"mitigation_remediation": ["Upgrade coturn to version 4.10.0 or newer.", "If an upgrade is not immediately feasible, restrict inbound STUN/TURN UDP (usually port 3478) to known, trusted hosts via firewall rules.", "Continuously monitor system logs for SIGBUS events and ensure the server is restarted promptly after any crash."], "summary": {"action": "Patch Now", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects coturn servers running any version prior to 4.10.0 on ARM64 (AArch64) hardware. All coturn installations exposing the default TURN/STUN port are at risk when deployed on this architecture.", "description_and_impact": "Coturn\u2019s STUN/TURN attribute parsing performs unsafe pointer casts (CWE\u2011704), allowing a crafted UDP packet with odd\u2011aligned attributes to trigger a misaligned memory read on ARM64. The resulting SIGBUS kills the turnserver process, causing a denial of service to all clients. The flaw is exploitable by an unauthenticated remote attacker and requires no authentication or privileged input.", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate\u2011to\u2011severe risk. No exploitation probability score has been published, and the vulnerability is not listed in the CISA KEV catalog, but the very small attack surface and the single\u2011packet requirement suggest a high likelihood of exploitation in targeted deployments, based on inference from the description. Because the attack originates from a raw UDP packet, it can be carried out remotely without authentication, making quick service disruption possible."}}}}, "created": "2026-04-22T03:30:06.543669+00:00", "updated": "2026-04-22T07:30:11.608738+00:00", "vendors": ["coturn", "coturn$PRODUCT$coturn"]}