Fedora 43 Coturn Important XSS Security Alert FEDORA-2026-c42d951aad
fedora
June 23, 2026
Coturn 4.13.1 What's in this release Security fixes What's Changed Null-terminate server_name in stun_is_challenge_response_str
Summary
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
Update Information:
Coturn 4.13.1 What's in this release Security fixes What's Changed Null-terminate server_name in stun_is_challenge_response_str Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks Auto-deny coturn's own database backend endpoints as relay peers Deny link-local / ULA / site-local relay peers by default Coturn 4.13.0 What's in this release More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance. Security fixes What's Changed Wrap atomic everywhere Fix sendmmsg stride bug in multiplex-peer UDP batch flush Reap TURN permissions/channels via a per-thread sweep instead of per-object timers Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone) Enable...
Topics Covered
Change Log
* Tue Jun 16 2026 Robert Scheck
References
[ 1 ] Bug #2490558 - CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation https://bugzilla.redhat.com/show_bug.cgi?id=2490558
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c42d951aad' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Name: coturn
Product: Fedora 43
Version: 4.13.1
Release: 1.fc43
Summary: TURN/STUN & ICE Server
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!