Coturn ARM64 Crash: Unauthenticated DoS via Crafted STUN Message
The National Vulnerability Database has disclosed CVE-2026-40613, a high-severity vulnerability (CVSS 7.5) affecting Coturn, a widely used open-source TURN/STUN server. This flaw, present in versions prior to 4.10.0, stems from unsafe pointer casts in STUN/TURN attribute parsing functions. Specifically, it involves misaligned memory reads when processing crafted STUN messages with odd-aligned attribute boundaries.
For ARM64 architectures (AArch64) with strict alignment enforcement, this vulnerability is critical. An unauthenticated remote attacker can exploit it by sending a single, specially crafted UDP packet, triggering a SIGBUS signal that immediately crashes the turnserver process. This effectively leads to a denial of service for any affected ARM64 Coturn deployment. The fix is available in Coturn version 4.10.0.
This isn’t just a bug; it’s a direct route to service disruption. Attackers don’t need credentials or complex exploits – just one malformed packet. For organizations relying on Coturn for real-time communication, this means a trivial path to take down critical infrastructure. The attacker’s calculus is simple: low effort, high impact.
What This Means For You
- If your organization deploys Coturn on ARM64 architectures, you are exposed to a trivial unauthenticated denial-of-service attack. Patch to version 4.10.0 immediately. Prioritize this. Any service relying on Coturn for NAT traversal or relay capabilities will be vulnerable to immediate crashes.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40613 - Coturn ARM64 Crash via Crafted STUN Message
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40613 | DoS | Coturn turnserver process crash on ARM64 due to crafted STUN message |
| CVE-2026-40613 | DoS | Coturn versions prior to 4.10.0 |
| CVE-2026-40613 | DoS | Unsafe pointer casts from uint8_t * to uint16_t * without alignment checks in STUN/TURN attribute parsing functions |
| CVE-2026-40613 | DoS | Misaligned memory reads at ns_turn_msg.c when processing odd-aligned attribute boundaries |
| CVE-2026-40613 | DoS | Remote unauthenticated attacker sending a single crafted UDP packet to ARM64 coturn deployments |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
HKUDS OpenHarness Vulnerability Exposes Plugin Management to Attackers
CVE-2026-6819 — HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders...
CVE-2026-41320 — SQL Injection
CVE-2026-41320 — Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a...
WWBN AVideo RCE: Path Traversal Exposes Servers to Arbitrary File Writes
CVE-2026-40909 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by...