EXECUTIVE SUMMARY:
CVE-2026-26014 is a moderate severity vulnerability with a CVSS score of 5.9 affecting Pion DTLS, where random nonce generation is used with AES GCM ciphers, increasing the likelihood of nonce reuse within a session. Such reuse can enable a remote attacker to perform a “forbidden attack,” potentially exposing the authentication key and allowing crafted data to be spoofed. The issue impacts versions up to 1.5.4 in the v1 branch, up to 2.2.12 in the v2 branch, and versions prior to 3.1.0 in the v3 branch. The root cause lies in improper nonce construction in GCM mode, which requires strict uniqueness to preserve cryptographic integrity and confidentiality guarantees. Version 3.1.0 addresses the flaw by using a 64-bit sequence number to populate the nonce_explicit portion of the GCM nonce, aligning with recommended best practices, and preventing nonce reuse. There are no effective workarounds and upgrading to version 3.1.0 or later is required to remediate the risk.
RECOMMENDATION:
We strongly recommend update Pion DTLS to version v3.1.0 or later.
REFERENCES:
The following reports contain further technical details: