VYPR
← All advisories
High severityNVD Advisory· Published May 20, 2022· Updated Apr 23, 2025

Header reconstruction method can be thrown into an infinite loop in Pion DTLS

CVE-2022-29190

Description

Pion DTLS prior to v2.1.4 enters an infinite loop when processing crafted packets, enabling a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pion DTLS prior to v2.1.4 enters an infinite loop when processing crafted packets, enabling a denial of service.

Vulnerability

The vulnerability resides in Pion DTLS, a Go implementation of Datagram Transport Layer Security. In versions prior to 2.1.4, a crafted packet with zero-length fragments can trigger an infinite loop in the fragment buffer processing logic [1][4]. The affected code path is in the fragmentBuffer implementation. The issue was fixed via a commit that adds a check for zero-length fragments to prevent the infinite loop [4]. Versions < 2.1.4 are vulnerable.

Exploitation

An attacker can exploit this by sending a UDP datagram containing a specially crafted DTLS handshake record with a zero-length fragment payload [4]. No authentication or special network position (other than the ability to send packets to the target DTLS endpoint) is required. The attacker sends the malicious packet; upon processing, the Pion DTLS stack enters an infinite loop, consuming CPU resources.

Impact

Successful exploitation leads to a denial of service (DoS) condition: the DTLS endpoint becomes unresponsive as it is stuck in an infinite loop [1]. This affects the availability of any service using Pion DTLS to handle DTLS connections. There is no confidentiality or integrity impact.

Mitigation

The vulnerability is patched in Pion DTLS version 2.1.4, released on 2022-05-20 [2][3]. Users should upgrade to v2.1.4 or later. There are no known workarounds [1]. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2022-29190
  2. Release v2.1.4 · pion/dtls
  3. GO-2022-0460 - Go Packages
  4. Don't attempt to append zero length fragments · pion/dtls@e0b2ce3

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/pion/dtlsGo
< 2.1.42.1.4
github.com/pion/dtls/v2Go
< 2.1.42.1.4

Affected products

3

Patches

1
e0b2ce3592e8

Don't attempt to append zero length fragments

https://github.com/pion/dtlsSean DuBoisMay 10, 2022via ghsa
commit
2 files changed · +15 1
  • fragment_buffer.go+1 1 modified
    @@ -76,7 +76,7 @@ func (f *fragmentBuffer) pop() (content []byte, epoch uint16) {
 		for _, f := range frags {
 			if f.handshakeHeader.FragmentOffset == targetOffset {
 				fragmentEnd := (f.handshakeHeader.FragmentOffset + f.handshakeHeader.FragmentLength)
-				if fragmentEnd != f.handshakeHeader.Length {
+				if fragmentEnd != f.handshakeHeader.Length && f.handshakeHeader.FragmentLength != 0 {
 					if !appendMessage(fragmentEnd) {
 						return false
 					}
  • fragment_buffer_test.go+14 0 modified
    @@ -73,6 +73,20 @@ func TestFragmentBuffer(t *testing.T) {
 			},
 			Epoch: 0,
 		},
+		// Assert that a zero length fragment doesn't cause the fragmentBuffer to enter an infinite loop
+		{
+			Name: "Zero Length Fragment",
+			In: [][]byte{
+				{
+					0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00,
+					0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				},
+			},
+			Expected: [][]byte{
+				{0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00},
+			},
+			Epoch: 0,
+		},
 	} {
 		fragmentBuffer := newFragmentBuffer()
 		for _, frag := range test.In {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.