Source: coturn Version: 4.12.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for coturn. CVE-2026-43994[0]: | Coturn is a free open source implementation of TURN and STUN Server. | Versions prior to 4.10.0 contain a stack buffer overflow in | decode_oauth_token_gcm(). A uint16_t nonce_len field read from an | attacker-supplied OAuth access token (0-65535) is passed directly to | memcpy() as the copy length into a 256-byte stack buffer | (oauth_encrypted_block.nonce[256]) without bounds checking. The | overflow occurs before AES-GCM authentication is verified, the | attacker does not need to know the OAuth key or produce a valid AES- | GCM token. Up to 735 bytes of attacker-controlled data are written | past the buffer, may corrupt adjacent stack data, including control- | flow data depending on compiler, ABI, and mitigations. Requires | --oauth mode (non-default). This may provide a plausible RCE | primitive depending on exploit mitigations; because coturn is widely | deployed for WebRTC TURN/STUN and --oauth is commonly recommended, | impact can be broad. This issue has been fixed in version 4.10.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-43994 https://www.cve.org/CVERecord?id=CVE-2026-43994 [1] https://github.com/coturn/coturn/security/advisories/GHSA-74pg-rfh2-5qw5 [2] https://github.com/coturn/coturn/commit/5ca467e70915c033f371cd7a9742759c68f56363 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
