CVE-2019-20786
Description
Pion DTLS before 1.5.2 lacks an epoch check in handleIncomingPacket, letting attackers inject unencrypted application data after handshake.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pion DTLS before 1.5.2 lacks an epoch check in handleIncomingPacket, letting attackers inject unencrypted application data after handshake.
Vulnerability
Description
CVE-2019-20786 affects Pion DTLS, a Go implementation of DTLS 1.2. The vulnerability resides in handleIncomingPacket within conn.go [1]. The root cause is the absence of a check that enforces application data packets to have an epoch value other than 0 [1][4]. In the DTLS protocol, epoch 0 is reserved for the initial handshake phase; all post-handshake communication must use a non-zero epoch to ensure encryption and authentication.
Exploitation
A remote attacker who is able to send arbitrary network packets to a Pion DTLS endpoint can exploit this flaw after the DTLS handshake has successfully completed [1]. No prior authentication or session access is required; the attacker simply sends DTLS application data frames with epoch set to 0. The vulnerable library will process these frames as valid application data without decrypting or authenticating them [4].
Impact
Successful exploitation allows the attacker to inject arbitrary plaintext data that the receiving application treats as legitimate post-handshake traffic [1]. This bypasses the encryption and integrity guarantees of DTLS, effectively neutralizing the security of the established session. The injected data could trigger unintended application-level actions, leak information via responses, or corrupt shared state.
Mitigation
The issue was addressed in Pion DTLS release v1.5.2 by adding an explicit assertion that application data packets must have epoch not equal to 0 [2][4]. Users should upgrade to this version or later. No official workaround exists if upgrading is not possible, so applying the patch is strongly recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pion/dtlsGo | < 1.5.2 | 1.5.2 |
Affected products
2- Pion/Pion DTLSdescription
Patches
1fd73a5df2ff0Assert that ApplicationData has epoch != 0
1 file changed · +4 −0
conn.go+4 −0 modified@@ -559,6 +559,10 @@ func (c *Conn) handleIncomingPacket(buf []byte) (*alert, error) { c.log.Trace("<- ChangeCipherSpec") c.setRemoteEpoch(c.getRemoteEpoch() + 1) case *applicationData: + if h.epoch == 0 { + return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("ApplicationData with epoch of 0") + } + c.decrypted <- content.data default: return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("unhandled contentType %d", content.contentType())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7gfg-6934-mqq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-20786ghsaADVISORY
- github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0ghsax_refsource_MISCWEB
- github.com/pion/dtls/compare/v1.5.1...v1.5.2ghsax_refsource_MISCWEB
- github.com/pion/dtls/pull/128ghsaWEB
- pkg.go.dev/vuln/GO-2020-0038ghsaWEB
- www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brosteanghsax_refsource_MISCWEB
- www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.