CVE-2026-43994
Analyzed Analyzed - Analysis Complete

Stack Buffer Overflow in Coturn OAuth Token Handling

Vulnerability report for CVE-2026-43994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-26
Generated
2026-07-09
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coturn_project coturn to 4.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coturn versions prior to 4.10.0, which is an open source TURN and STUN server implementation. It is a stack buffer overflow in the function decode_oauth_token_gcm(). Specifically, a 16-bit nonce length field (nonce_len) is read from an attacker-supplied OAuth access token and used directly as the length parameter in a memcpy() call to copy data into a fixed 256-byte stack buffer without any bounds checking.

Because the nonce_len can be up to 65535, this allows an attacker to write up to 735 bytes beyond the buffer, corrupting adjacent stack data including control-flow data. This overflow happens before AES-GCM authentication is verified, so the attacker does not need to know the OAuth key or produce a valid token. The vulnerability requires the --oauth mode to be enabled, which is not the default.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to perform a stack buffer overflow that may corrupt control-flow data on the stack. This can potentially lead to remote code execution (RCE) depending on the presence of exploit mitigations, compiler, and ABI specifics.

Since Coturn is widely deployed for WebRTC TURN/STUN services and the --oauth mode is commonly recommended, the impact can be broad. An attacker could exploit this vulnerability remotely without authentication or knowledge of the OAuth key, leading to full compromise of the affected system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Coturn to version 4.10.0 or later, where the issue has been fixed.

Additionally, if you are using the --oauth mode (which is required for this vulnerability to be exploitable), consider disabling it temporarily until you can upgrade.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart