CVE-2026-43994

Name of the Vulnerable Software and Affected Versions Coturn versions prior to 4.10.0

Description A stack buffer overflow exists in the decode oauth token gcm() function. A nonce len field, read from an attacker-supplied OAuth access token, is passed to memcpy() as the copy length into a 256-byte stack buffer (oauth encrypted block.nonce[256]) without bounds checking. This allows up to 735 bytes of attacker-controlled data to be written past the buffer, potentially corrupting adjacent stack data and control-flow data. The overflow occurs before AES-GCM authentication is verified, meaning the attacker does not need the OAuth key or a valid token. This issue requires the server to be running in --oauth mode. This may provide a remote code execution primitive.

Recommendations Update to version 4.10.0. As a temporary workaround, disable --oauth mode to minimize the risk of exploitation.