On Mon, Jun 22, 2026 at 09:03:06PM +0200, Salvatore Bonaccorso wrote: > Source: coturn > Version: 4.12.0-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for coturn. > > CVE-2026-43994[0]: > | Coturn is a free open source implementation of TURN and STUN Server. > | Versions prior to 4.10.0 contain a stack buffer overflow in > | decode_oauth_token_gcm(). A uint16_t nonce_len field read from an > | attacker-supplied OAuth access token (0-65535) is passed directly to > | memcpy() as the copy length into a 256-byte stack buffer > | (oauth_encrypted_block.nonce[256]) without bounds checking. The > | overflow occurs before AES-GCM authentication is verified, the > | attacker does not need to know the OAuth key or produce a valid AES- > | GCM token. Up to 735 bytes of attacker-controlled data are written > | past the buffer, may corrupt adjacent stack data, including control- > | flow data depending on compiler, ABI, and mitigations. Requires > | --oauth mode (non-default). This may provide a plausible RCE > | primitive depending on exploit mitigations; because coturn is widely > | deployed for WebRTC TURN/STUN and --oauth is commonly recommended, > | impact can be broad. This issue has been fixed in version 4.10.0. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-43994 > https://www.cve.org/CVERecord?id=CVE-2026-43994 > [1] https://github.com/coturn/coturn/security/advisories/GHSA-74pg-rfh2-5qw5 > [2] > https://github.com/coturn/coturn/commit/5ca467e70915c033f371cd7a9742759c68f56363
The commit looks wrong, my reading of the CVE is that it got fixed by https://github.com/coturn/coturn/commit/46368b3e1ecda2175f8db8b05ece8bbdbf844cea which is already included in the version in unstable. > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore cu Adrian

