Compliance Impact

The vulnerability CVE-2026-40613 causes a remote denial-of-service (DoS) by crashing the coturn server process on ARM64 architectures due to unsafe pointer casts and misaligned memory access.

There is no direct impact on confidentiality or integrity, as the CVSS metrics indicate no confidentiality or integrity loss, only availability impact.

Since the vulnerability results in availability disruption but does not expose or alter sensitive data, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or health data.

However, denial-of-service incidents can indirectly affect compliance if they disrupt critical services or availability requirements mandated by such regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40613 is a high-severity remote denial-of-service (DoS) vulnerability in coturn, an open source TURN and STUN server implementation. The issue occurs in coturn versions prior to 4.10.0 on ARM64 (AArch64) architectures due to unsafe pointer casts in the STUN attribute parsing code.

Specifically, coturn performs casts from uint8_t * to uint16_t * without checking for proper memory alignment. When processing a crafted STUN message with odd-aligned attribute boundaries, this causes misaligned memory reads. On ARM64 platforms, which enforce strict memory alignment, this misaligned access triggers a SIGBUS signal that immediately crashes the coturn process.

An unauthenticated remote attacker can exploit this by sending a single crafted UDP packet to the coturn server, causing it to crash and resulting in a denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service on any coturn deployment running on ARM64 hardware by crashing the turnserver process.

• An unauthenticated remote attacker can send a single crafted UDP packet to crash the coturn server.
• The crash results from a SIGBUS signal caused by misaligned memory access.
• This leads to service unavailability, impacting any applications or services relying on coturn for TURN/STUN functionality.
• Affected platforms include ARM64 devices such as AWS Graviton instances, Apple Silicon, Raspberry Pi, Android SRTP relays, and other ARM-based cloud or edge servers.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unexpected crashes or SIGBUS signals in the coturn server process running on ARM64 architectures. Since the vulnerability is triggered by a crafted STUN message sent over UDP (default port 3478), network traffic analysis can help identify suspicious or malformed STUN packets.

A practical approach is to capture and analyze UDP traffic on port 3478 to look for malformed STUN messages with odd-aligned attribute boundaries.

Suggested commands include:

• Use tcpdump or tshark to capture UDP packets on port 3478: tcpdump -i <interface> udp port 3478 -w coturn_capture.pcap
• Analyze captured packets with Wireshark or tshark to inspect STUN attributes for irregularities.
• Check system logs or coturn logs for process crashes or SIGBUS signals indicating misaligned memory access.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade coturn to version 4.10.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider restricting or filtering incoming UDP traffic on port 3478 to trusted sources to reduce exposure to crafted packets.

Additionally, monitor coturn server stability and logs for crashes and consider deploying network-level protections such as rate limiting or firewall rules to mitigate potential denial-of-service attacks.

Useful 0 Not Useful 0