CVE-2026-40613

Name of the Vulnerable Software and Affected Versions Coturn versions prior to 4.10.0

Description STUN/TURN attribute parsing functions perform unsafe pointer casts from uint8 t * to uint16 t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, misaligned memory reads occur at ns turn msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this triggers a SIGBUS signal, which is a signal sent to a process when it does not have permission to access a memory location or the memory is physically unavailable, resulting in the immediate termination of the turnserver process. An unauthenticated remote attacker can cause a crash by sending a single crafted UDP packet.

Recommendations Update to version 4.10.0.