CVE-2026-40613 Overview
CVE-2026-40613 is a denial of service vulnerability in Coturn, a free open source implementation of TURN and STUN Server. The vulnerability exists in STUN/TURN attribute parsing functions that perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately terminates the turnserver process.
Critical Impact
An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet, causing complete service disruption.
Affected Products
- Coturn TURN/STUN Server versions prior to 4.10.0
- ARM64 (AArch64) deployments with strict alignment enforcement
- Any deployment processing untrusted STUN/TURN traffic
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40613 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40613
Vulnerability Analysis
This vulnerability stems from improper type casting (CWE-704) in the STUN/TURN message parsing routines. The affected code performs direct pointer casts from byte arrays (uint8_t *) to 16-bit integer pointers (uint16_t *) when parsing STUN attributes. This cast assumes proper memory alignment, which is not guaranteed for STUN message attributes that can appear at arbitrary byte offsets.
On x86 architectures, misaligned memory access typically results in a performance penalty but the operation completes successfully. However, ARM64 processors with strict alignment enforcement treat misaligned memory access as a fatal error, generating a SIGBUS signal that terminates the process immediately. This architectural difference makes ARM64 coturn deployments particularly vulnerable to this attack.
The fix in version 4.10.0 addresses this by implementing proper alignment checks or using byte-by-byte memory access patterns that are architecture-safe.
Root Cause
The root cause is an unsafe pointer cast in ns_turn_msg.c where the STUN attribute parsing logic casts byte pointers directly to 16-bit integer pointers without verifying memory alignment. STUN message attributes can be positioned at any byte offset within the message payload, leading to odd-aligned memory boundaries that violate the alignment requirements for multi-byte data types on ARM64 processors.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can craft a malicious STUN message with attributes positioned at odd byte boundaries. When this packet is sent via UDP to a vulnerable coturn server running on ARM64 hardware, the misaligned memory access triggers a SIGBUS signal, causing an immediate process crash. The attack requires only a single crafted UDP packet and no prior authentication or interaction with the server.
The vulnerability is particularly severe because STUN/TURN servers are typically internet-facing to facilitate WebRTC and VoIP communications. The misaligned attribute parsing occurs before any authentication checks, allowing completely unauthenticated remote attackers to exploit this flaw.
Detection Methods for CVE-2026-40613
Indicators of Compromise
- Unexpected turnserver process terminations with SIGBUS exit signals
- Core dumps from the coturn process indicating misaligned memory access
- System logs showing abnormal STUN message processing failures
- Sudden service unavailability without resource exhaustion indicators
Detection Strategies
- Monitor for SIGBUS signals in process supervision systems (systemd, supervisord)
- Implement process monitoring to detect rapid coturn restarts
- Analyze network traffic for malformed STUN messages with unusual attribute alignments
- Deploy intrusion detection signatures for STUN packets with odd-aligned attribute boundaries
Monitoring Recommendations
- Configure alerting for coturn process crashes on ARM64 deployments
- Enable core dump collection to capture crash evidence for forensic analysis
- Monitor UDP traffic patterns for potential exploit attempts
- Track coturn service availability metrics to detect exploitation attempts
How to Mitigate CVE-2026-40613
Immediate Actions Required
- Upgrade to coturn version 4.10.0 or later immediately
- Prioritize patching ARM64 deployments as they are most vulnerable
- Implement network-level filtering to restrict STUN/TURN access to trusted networks where possible
- Enable process supervision to automatically restart crashed turnserver instances as a temporary measure
Patch Information
The vulnerability is fixed in coturn version 4.10.0. Users should upgrade to this version or later as soon as possible. The security advisory and patch details are available in the GitHub Security Advisory.
Workarounds
- Deploy coturn on x86/x86_64 architecture where misaligned access does not cause crashes (temporary workaround only)
- Implement network-level access controls to limit exposure to trusted clients
- Use a reverse proxy or firewall to filter potentially malicious STUN packets
- Enable automatic process restart via systemd or similar to minimize downtime from crashes
# Enable automatic restart in systemd for temporary resilience
sudo systemctl edit coturn.service
# Add under [Service] section:
# Restart=always
# RestartSec=5
# Verify coturn version after upgrade
turnserver --version
# Should show 4.10.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
