CVE-2026-26014

Name	CVE-2026-26014
Description	Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1127927, 1127928

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-pion-dtls-v3 (PTS)	forky, sid	3.0.7-2	vulnerable
golang-github-pion-dtls.v2 (PTS)	forky, bookworm, sid, trixie	2.2.6-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-pion-dtls-v3	source	(unstable)	(unfixed)			1127927
golang-github-pion-dtls.v2	source	(unstable)	(unfixed)			1127928

Notes

https://github.com/pion/dtls/security/advisories/GHSA-9f3f-wv7r-qc8r
https://github.com/pion/dtls/pull/796
Fixed by: https://github.com/pion/dtls/commit/61762dee8217991882c5eb79856b9e7a73ee349f (v3.1.0)
Fixed by: https://github.com/pion/dtls/commit/90e241cfec2985715efdd3d005972847462a67d6 (v3.0.11)