On Mon, Jun 22, 2026 at 09:03:06PM +0200, Salvatore Bonaccorso wrote:
> Source: coturn
> Version: 4.12.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: [email protected], Debian Security Team 
> <[email protected]>
> 
> Hi,
> 
> The following vulnerability was published for coturn.
> 
> CVE-2026-43994[0]:
> | Coturn is a free open source implementation of TURN and STUN Server.
> | Versions prior to 4.10.0 contain a stack buffer overflow in
> | decode_oauth_token_gcm(). A uint16_t nonce_len field read from an
> | attacker-supplied OAuth access token (0-65535) is passed directly to
> | memcpy() as the copy length into a 256-byte stack buffer
> | (oauth_encrypted_block.nonce[256]) without bounds checking. The
> | overflow occurs before AES-GCM authentication is verified, the
> | attacker does not need to know the OAuth key or produce a valid AES-
> | GCM token. Up to 735 bytes of attacker-controlled data are written
> | past the buffer, may corrupt adjacent stack data, including control-
> | flow data depending on compiler, ABI, and mitigations. Requires
> | --oauth mode (non-default). This may provide a plausible RCE
> | primitive depending on exploit mitigations; because coturn is widely
> | deployed for WebRTC TURN/STUN and --oauth is commonly recommended,
> | impact can be broad. This issue has been fixed in version 4.10.0.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2026-43994
>     https://www.cve.org/CVERecord?id=CVE-2026-43994
> [1] https://github.com/coturn/coturn/security/advisories/GHSA-74pg-rfh2-5qw5
> [2] 
> https://github.com/coturn/coturn/commit/5ca467e70915c033f371cd7a9742759c68f56363

The commit looks wrong, my reading of the CVE is that it got fixed by
  
https://github.com/coturn/coturn/commit/46368b3e1ecda2175f8db8b05ece8bbdbf844cea
which is already included in the version in unstable.

> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

cu
Adrian

Reply via email to