External risk intelligence

Coturn OAuth Stack Buffer Overflow Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-43994

Coturn is a TURN/STUN server designed specifically to facilitate WebRTC traffic, making it a standard internet-facing gateway component in many network architectures. By design, these servers must be reachable from the public internet to bridge media streams between clients.

Buffer Overflow

Coturn Project Coturn

before 4.10.0

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Coturn software, an open-source server used for WebRTC communication. This issue, related to handling authorization tokens, could allow an attacker to remotely execute code by exploiting a buffer overflow. While this specific vulnerability requires a particular configuration, Coturn's widespread use in facilitating internet-based communications means its exposure is significant.

  • Overflow in authorization token handling.
  • Potential for remote code execution.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can target this vulnerability by sending a specially crafted OAuth access token to a Coturn server. This token, processed before full authentication, can cause a buffer overflow. If successful, this could allow an attacker to execute arbitrary code on the server, potentially leading to a wide-reaching compromise given Coturn's common use in WebRTC.

  • No authentication required.
  • Malformed OAuth token triggers overflow.
  • Potential for code execution and broad compromise.

Live Threat

Current exploitation, exposure, and threat context

When the `--oauth` mode is enabled, a stack buffer overflow in the `decode_oauth_token_gcm()` function could allow an unauthenticated attacker to overwrite adjacent stack data. This may lead to control-flow hijacking, potentially resulting in remote code execution when supported by specific system configurations and compiler protections.

  • Server memory and execution control.
  • Unauthenticated network requests exploit overflow.
  • Potential remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world responsibility for this vulnerability likely falls to teams managing application infrastructure, platform services, or network security, particularly those responsible for WebRTC deployments. The first step is to locate all instances of the affected technology, verify their exposure to the internet and criticality, identify the accountable owner, and then prioritize remediation based on potential risk.

  • Application or platform teams own the issue.
  • Verify external reachability and business criticality.
  • Plan remediation during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coturn?

Coturn is a widely used, open-source server implementation designed to handle STUN and TURN protocols. It acts as a critical gateway in network architectures, specifically enabling WebRTC by facilitating the relay and traversal of media streams—like voice and video data—between clients that would otherwise be blocked by firewalls or NATs.

What does CWE-120 mean for CVE-2026-43994?

CWE-120 refers to a buffer copy without checking size, commonly known as a buffer overflow. In this vulnerability, the software fails to limit the amount of data it copies from an incoming OAuth token into a specific fixed-size memory area called the stack. By providing an oversized token, an attacker can overwrite adjacent memory, which may allow them to manipulate the server's internal operations or execution flow.

How is this vulnerability triggered?

An attacker triggers this by sending a malformed OAuth access token to the server. Critically, the overflow happens before the server verifies the cryptographic signature of the token, so the attacker does not need valid credentials to initiate the attack. Notably, this flaw only exists when the server is explicitly configured with the '--oauth' mode enabled; default configurations without this setting are not affected by this specific bug.

Is my Coturn instance relevant if it is internal?

Halo Surface Signal indicates that Coturn servers are typically designed as internet-facing gateways to bridge media traffic, increasing the likelihood of exposure. While an internal-only instance has a smaller attack surface, any Coturn server with '--oauth' enabled is technically vulnerable. You should assess whether your specific implementation is reachable from networks where an attacker could deliver a crafted request.

What should I do to address this vulnerability?

Your first step is to audit your infrastructure to identify all running Coturn instances and determine if the '--oauth' configuration is active. If your servers are running any version prior to 4.10.0 with this feature enabled, prioritize updating to version 4.10.0 or later, where this memory handling issue is resolved. Plan this update during your next maintenance window to ensure stability.

References