CVE-2026-43994
Received Received - Intake
Stack Buffer Overflow in Coturn OAuth Token Handling

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-43994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coturn coturn to 4.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Coturn versions prior to 4.10.0, which is an open source TURN and STUN server implementation. It is a stack buffer overflow in the function decode_oauth_token_gcm(). Specifically, a 16-bit nonce length field (nonce_len) is read from an attacker-supplied OAuth access token and used directly as the length parameter in a memcpy() call to copy data into a fixed 256-byte stack buffer without any bounds checking.

Because the nonce_len can be up to 65535, this allows an attacker to write up to 735 bytes beyond the buffer, corrupting adjacent stack data including control-flow data. This overflow happens before AES-GCM authentication is verified, so the attacker does not need to know the OAuth key or produce a valid token. The vulnerability requires the --oauth mode to be enabled, which is not the default.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to perform a stack buffer overflow that may corrupt control-flow data on the stack. This can potentially lead to remote code execution (RCE) depending on the presence of exploit mitigations, compiler, and ABI specifics.

Since Coturn is widely deployed for WebRTC TURN/STUN services and the --oauth mode is commonly recommended, the impact can be broad. An attacker could exploit this vulnerability remotely without authentication or knowledge of the OAuth key, leading to full compromise of the affected system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Coturn to version 4.10.0 or later, where the issue has been fixed.

Additionally, if you are using the --oauth mode (which is required for this vulnerability to be exploitable), consider disabling it temporarily until you can upgrade.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart