Description
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, a buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or timed out. An attacker could exploit this to cause excessive memory usage. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/pion/dtls/releases/tag/v2.1.4
Third Party Advisory x_refsource_confirm
https://github.com/pion/dtls/security/advisories/GHSA-cx94-mrg9-rq4j
Patch, Third Party Advisory x_refsource_misc
https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de
Scores
CVSS v3
5.3
EPSS
0.0119
EPSS Percentile
78.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-120
Status
published
Products (2)
pion/dtls
< 2.1.4
pion/dtls
0 - 2.1.4 (2 CPE variants)Go
Published
May 21, 2022
Tracked Since
Feb 18, 2026