Is github.com/pion/dtls affected by CVE-2026-26014?

Go github.com/pion/dtls is affected in >=0.

Is CVE-2026-26014 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

medium

CVE-2026-26014

Go · github.com/pion/dtls • Go · github.com/pion/dtls/v2 • Go · github.com/pion/dtls/v3

Summary

Usage of random nonce generation with AES GCM ciphers risks leaking the authentication key in github.com/pion/dtls

Severity: medium
EPSS: 0.6% (p45)
Also known as: GHSA-9f3f-wv7r-qc8r, GHSA-9f3f-wv7r-qc8r#github.com/pion/dtls, GHSA-9f3f-wv7r-qc8r#github.com/pion/dtls/v2, GHSA-9f3f-wv7r-qc8r#github.com/pion/dtls/v3, GO-2026-4479, GO-2026-4479#github.com/pion/dtls, GO-2026-4479#github.com/pion/dtls/v2, GO-2026-4479#github.com/pion/dtls/v3
Published: 2026-02-19

References

https://github.com/pion/dtls/security/advisories/GHSA-9f3f-wv7r-qc8r
https://github.com/pion/dtls/commit/61762dee8217991882c5eb79856b9e7a73ee349f
https://github.com/pion/dtls/pull/796

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.