CVE-2026-26014
Usage of random nonce generation with AES GCM ciphers risks leaking the authentication key in github.com/pion/dtls
5.9
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
How to fix CVE-2026-26014
To remediate CVE-2026-26014, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.1.2-1 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 3.0.11 or later
- —upgrade to 3.1.1 or later
Is CVE-2026-26014 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0
- from 0, < 3.1.2-1
- from 0, <= 1.5.4
- from 0
- from 0, <= 2.2.12
- from 0
- >= 3.0.10, < 3.0.11, >= 3.1.0, < 3.1.1
- >= 3.1.0, < 3.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |