Fedora 42 Coturn Faces Severe Memory Problems with CVE-2026-40613

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.

It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:

- RFC 5766 - base TURN specs

- RFC 6062 - TCP relaying TURN extension

- RFC 6156 - IPv6 extension for TURN

- Experimental DTLS support as client protocol.

STUN specs:

- RFC 3489 - "classic" STUN

- RFC 5389 - base "new" STUN specs

- RFC 5769 - test vectors for STUN protocol testing

- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:

- UDP (per RFC 5766)

- TCP (per RFC 5766 and RFC 6062)

- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2

- DTLS (experimental non-standard feature)

Supported relay protocols:

- UDP (per RFC 5766)

- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if

authentication is required):

- SQLite

- MySQL

- PostgreSQL

- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:

- long-term

- TURN REST API (a modification of the long-term mechanism, for time-limited

secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a

combination of them):

- network load-balancer server

- DNS-based load balancing

- built-in ALTERNATE-SERVER mechanism.

Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme file...