_explained / coturn-crash-bug-arm64-video-calls-at-risk
HIGH PLAIN ENGLISH 5 min read

One Rogue Packet Can Knock Out Your Video Calls: The Coturn Bug Explained

A single malicious message can instantly crash the server software routing millions of video calls, voice chats, and remote work sessions worldwide. No login required.

2026-04-21 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Coturn Crash Bug: ARM64 Video Calls at Risk

A single carefully crafted network packet — sent by anyone on the internet, no password required — can instantly and completely crash the server software that keeps your video calls, voice chats, and remote work sessions alive.

Who Is Affected — and How Many

The vulnerable software is Coturn, a free, open-source server used to relay real-time communications when two devices can't connect directly to each other. If you've ever made a video call on a platform that didn't stutter when you moved between Wi-Fi networks, there's a reasonable chance Coturn was quietly working in the background. It is embedded in the infrastructure of telehealth platforms, corporate video conferencing tools, browser-based calling apps, and WebRTC-powered services used by hundreds of millions of people daily.

The vulnerability, tracked as CVE-2026-40613 and rated HIGH severity, specifically targets deployments running on ARM64 (AArch64) processors — the chip architecture now powering a growing wave of cloud servers from AWS Graviton to Ampere-based instances. As cloud providers aggressively push ARM-based servers for their cost and energy efficiency, the number of exposed Coturn deployments on this architecture is climbing fast. Security teams that migrated to ARM to save money may have unknowingly increased their attack surface.

What an Attacker Can Actually Do

Imagine the bouncer at a club who checks everyone's ID before letting them in. Now imagine someone hands the bouncer a card that's slightly the wrong size — not fake, just physically misaligned — and the bouncer's ID scanner immediately catches fire and shuts down, letting no one in or out. That's roughly what's happening here. Coturn receives millions of small, structured network messages every day as part of normal operation. This bug means that if an attacker sends just one of those messages with its internal data positioned at a slightly unusual location in memory, the server's brain locks up and the whole process dies instantly.

The result is a complete denial of service: every active call drops, every user mid-session gets disconnected, and no new connections can be established until a human administrator notices the outage and restarts the server. The attacker doesn't need an account. They don't need to know anything about the target organization. They just need to know the server's IP address and port — both of which are typically public by design, because the whole point of this software is to be reachable by anyone trying to make a call.

For a telehealth company, that could mean a doctor losing a live consultation with a patient mid-diagnosis. For a financial services firm, it could mean a trading floor losing its communication backbone during market hours. For a remote-work platform, it could mean thousands of employees simultaneously dropped from their meetings. The attack is cheap, repeatable, and requires essentially zero technical sophistication once the exploit is understood.

The Technical Detail That Matters

For security researchers and engineers who want the specifics: the root cause is an unsafe pointer cast from uint8_t * to uint16_t * without alignment validation inside the STUN/TURN attribute parsing routines in ns_turn_msg.c. On x86 processors, which handle unaligned memory reads silently, this bug lies dormant. On ARM64 architectures with strict alignment enforcement enabled, an odd-aligned attribute boundary triggers a SIGBUS signal — a hardware-level bus error — that the operating system uses to immediately terminate the offending process. There is no graceful recovery. The CVSS score is 7.5 (HIGH), reflecting the low attack complexity and the complete loss of availability with no authentication barrier whatsoever. The vulnerability class is memory-safety / misaligned memory access, a cousin of the kind of bugs that have haunted C-based network software for decades.

Real-World Context: Discovered, Not Yet Weaponized

As of publication, there is no confirmed active exploitation of CVE-2026-40613 in the wild, and no known victims or attacker campaigns have been attributed to this bug. The vulnerability was discovered through code analysis of the Coturn project and responsibly disclosed, leading to a patch in Coturn version 4.10.0. However, security teams should treat the absence of known exploitation as a narrow window of opportunity, not a reason to relax. Denial-of-service bugs against publicly reachable infrastructure are among the fastest vulnerability classes to be operationalized — writing a proof-of-concept requires no memory corruption expertise, just a crafted packet. The fact that ARM64 cloud deployments are specifically affected means attackers targeting cost-conscious infrastructure providers have a clear profile to scan for.

What You Should Do Right Now

If your organization runs Coturn anywhere in its stack — including in self-hosted video conferencing, WebRTC infrastructure, or VoIP platforms — take these three steps:

  1. Update to Coturn 4.10.0 immediately. This is the patched release that resolves CVE-2026-40613. Check your package manager, container image, or direct installation. Run turnserver --version to confirm your current version. If you are below 4.10.0, you are vulnerable. There is no workaround or configuration change that mitigates this issue — only the update fixes it.
  2. Audit your cloud architecture for ARM64 instances. If you've migrated any part of your real-time communications infrastructure to AWS Graviton, Google Axion, Ampere Altra, or any other ARM64-based cloud instance, those deployments are the highest-priority targets. Log into your cloud console, filter running instances by architecture, and cross-reference with any service running Coturn. Do this before assuming you're safe.
  3. Add rate limiting and network-level monitoring to your TURN ports. Even post-patch, implement rate limiting on UDP/TCP ports 3478 and 5349 (the standard TURN/STUN ports) at your firewall or load balancer. Set up an alert that triggers if the Coturn process restarts unexpectedly — that's your canary. Tools like systemd service restart counters, Prometheus with a process exporter, or even a simple uptime health check can give you early warning if someone is probing or attacking your deployment.

CVE: CVE-2026-40613 | CVSS: 7.5 (HIGH) | Fixed in: Coturn 4.10.0 | Exploitation status: No active exploitation confirmed

// TOPICS
#stun-turn#pointer-alignment#memory-safety#denial-of-service#arm64
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.