Login Sign Up

CVE-2022-29190

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-29190 is a denial-of-service vulnerability in Pion DTLS, a Go implementation of Datagram Transport Layer Security. Attackers can send specially crafted packets that cause the DTLS implementation to enter an infinite loop, leading to service disruption. Any application using vulnerable versions of Pion DTLS for secure UDP communications is affected.

💻 Affected Systems

Products:
  • Pion DTLS
Versions: All versions prior to 2.1.4
Operating Systems: All platforms running Go applications with Pion DTLS
Default Config Vulnerable: ⚠️ Yes
Notes: Any application importing and using the vulnerable Pion DTLS library is affected regardless of configuration.

📦 What is this software?

Dtls by Pion

View all CVEs affecting Dtls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through resource exhaustion (CPU 100%), potentially affecting all DTLS connections and causing cascading failures in dependent services.

🟠

Likely Case

Targeted denial-of-service attacks against specific services using Pion DTLS, causing temporary service disruption until the process is restarted.

🟢

If Mitigated

Minimal impact if patched version is deployed; otherwise, services remain vulnerable to DoS attacks from network-accessible attackers.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication by sending malicious packets to exposed DTLS endpoints.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to DTLS services.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory describes the vulnerability clearly, making exploitation straightforward for attackers with networking knowledge. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.4

Vendor Advisory: https://github.com/pion/dtls/security/advisories/GHSA-cm8f-h6j3-p25c

Restart Required: Yes

Instructions:

1. Update Go dependencies: go get github.com/pion/dtls/v2@v2.1.4
2. Rebuild and redeploy all applications using Pion DTLS
3. Restart affected services

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds available

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to DTLS endpoints only to trusted sources
  • Deploy rate limiting and packet filtering to detect and block abnormal DTLS traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Go module dependencies: go list -m github.com/pion/dtls/v2

Check Version:

go list -m github.com/pion/dtls/v2

Verify Fix Applied:

Verify version is 2.1.4 or higher: go list -m github.com/pion/dtls/v2 | grep v2.1.4

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes in processes using DTLS
  • Process crashes or hangs related to DTLS connections
  • Abnormal termination of DTLS-enabled services

Network Indicators:

  • Unusual volume of DTLS packets from single sources
  • Malformed DTLS handshake packets
  • Repeated connection attempts to DTLS ports

SIEM Query:

process.cpu.usage:>90 AND process.name:*dtls* OR process.cmdline:*pion/dtls*

📊 Metadata

CVE ID: CVE-2022-29190
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: May 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29190, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)