Fedora 44 Coturn 4.10.0 Moderate STUN Memory Access Issue 2026-1c11dc3e37
fedora
April 25, 2026
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_...
Summary
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
Update Information:
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme file...
Topics Covered
Change Log
* Fri Apr 17 2026 Robert Scheck
References
[ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
https://bugzilla.redhat.com/show_bug.cgi?id=2460213
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1c11dc3e37' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Name: coturn
Product: Fedora 44
Version: 4.10.0
Release: 1.fc44
Summary: TURN/STUN & ICE Server
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!