Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-43994

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-120 Copia de búfer sin comprobación del tamaño de entrada (Desbordamiento de búfer clásico)
Fecha de publicación:
18/06/2026
Última modificación:
26/06/2026

Descripción

*** Pendiente de traducción *** Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:* 4.10.0 (excluyendo)