CVE-2026-27624

Description

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using denied-peer-ip and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving 0.0.0.0, [::1] and [::], but IPv4-mapped IPv6 is not covered. When sending a CreatePermission or ChannelBind request with the XOR-PEER-ADDRESS value of ::ffff:127.0.0.1, a successful response is received, even though 127.0.0.0/8 is blocked via denied-peer-ip. The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in src/client/ns_turn_ioaddr.c do not check IN6_IS_ADDR_V4MAPPED. ioa_addr_is_loopback() checks 127.x.x.x (AF_INET) and ::1 (AF_INET6), but not ::ffff:127.0.0.1. ioa_addr_is_zero() checks 0.0.0.0 and ::, but not ::ffff:0.0.0.0. addr_less_eq() used by ioa_addr_in_range() for denied-peer-ip matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

Risk Information

Base Score

6.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score

Exploitation Probability

0.035

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234