go.mod: update module github.com/pion/dtls/v3 to v3.0.11 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/pion/dtls/v3	v3.0.0 → v3.0.11

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-26014

Impact

Pion DTLS versions v1.0.0 through v3.0.10 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack".

Patches

Upgrade to v3.1.1 or later. This version includes PR #​796, which uses the 64-bit sequence number to populate the nonce_explicit part of the GCM nonce. This is according to best practice outlined in RFC 9325 section 7.2.1.

v3.0.11 is a backport patch supporting Go v1.21

Workarounds

There are no workarounds without upgrading to version v3.0.11, v3.1.1 or later.

References

Commit fixing the bug: pion/dtls@61762de
Commit fixing the bug (backport): 90e241c
Pull request: #​796

---

Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key

CVE-2026-26014 / GHSA-9f3f-wv7r-qc8r / GO-2026-4479

More information

Details

Impact

Pion DTLS versions v1.0.0 through v3.0.10 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack".

Patches

Upgrade to v3.1.1 or later. This version includes PR #​796, which uses the 64-bit sequence number to populate the nonce_explicit part of the GCM nonce. This is according to best practice outlined in RFC 9325 section 7.2.1.

v3.0.11 is a backport patch supporting Go v1.21

Workarounds

There are no workarounds without upgrading to version v3.0.11, v3.1.1 or later.

References

Commit fixing the bug: pion/dtls@61762de
Commit fixing the bug (backport): 90e241c
Pull request: #​796

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/pion/dtls/security/advisories/GHSA-9f3f-wv7r-qc8r
• https://nvd.nist.gov/vuln/detail/CVE-2026-26014
• https://github.com/pion/dtls/pull/796
• https://github.com/pion/dtls/commit/61762dee8217991882c5eb79856b9e7a73ee349f
• https://github.com/pion/dtls/commit/90e241cfec2985715efdd3d005972847462a67d6
• https://github.com/pion/dtls
• https://github.com/pion/dtls/releases/tag/v3.0.11
• https://github.com/pion/dtls/releases/tag/v3.1.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pion/dtls (github.com/pion/dtls/v3)

v3.0.11

Compare Source

Backport security fix for GHSA-9f3f-wv7r-qc8r (CVE-2026-26014)

This is the only release with the security fix for Go v1.21.

v3.0.10

Compare Source

Changelog

• 713910a Upgrade to pion/transport/v4
• e0d3160 Add the key share extension (#​749)
• 7a57e26 Update CI configs to v0.11.36
• 08d8c3e Fix gosec slice bounds warnings (#​764)
• 7b9612e Handshake fragments assembly refactoring (#​762)

v3.0.9

Compare Source

Changelog

• ab5f89b Implement TLS_EMPTY_RENEGOTIATION_INFO_SCSV
• d5761ac Prevent negative intervals

v3.0.8

Compare Source

Changelog

• ffd97f5 Backoff handshake retransmit
• 7ab1bc9 Update actions/checkout action to v6
• bdb5f23 Update module github.com/pion/transport/v3 to v3.1.1 (#​754)
• 1d9b6b1 Update module github.com/pion/transport/v3 to v3.1.0
• c06c3a7 Lock while writing to encryptedPackets
• ca7d80e Update CI configs to v0.11.32
• 9cfb13f Improve the record layer fuzz tests
• daa0fd4 Add fuzz tests for gcm
• 9ed5950 Add fuzz tests for ccm
• 7b68bd9 Add fuzz tests for packet buffer
• 7c62411 Update CI configs to v0.11.31
• 3e12f76 Add more tests for prf
• e7cbd62 Migrate elliptic curves from elliptic to ecdh
• 6ff535f Update module github.com/pion/transport/v3 to v3.0.8
• f6b0286 Add the supported_versions extension
• 120a895 Handle ECONNREFUSED timeout
• ed044c0 Update CI configs to v0.11.29
• 5611b14 Apply go modernize
• 27c3405 Update actions/checkout action to v5
• 8764fbd Update CI configs to v0.11.26
• 465f544 Update CI configs to v0.11.25
• 6e1e3c9 Update module github.com/stretchr/testify to v1.11.1
• 495a7b5 Update CI configs to v0.11.24
• 0b11eab Update module github.com/stretchr/testify to v1.11.0
• b8c2ab4 Fix lint issues with golangci-lint@​v2
• 0bf1902 Update CI configs to v0.11.22

v3.0.7

Compare Source

Changelog

• e3cf6bc Comply with RFC5746 and RFC5246
• f0c0987 Update module github.com/pion/logging to v0.2.4
• 63bf30c Update CI configs to v0.11.20
• 34fbe21 Replace interface{} with any
• 8bf2c71 Fix packet buffer read index after buffer resize
• 806ff2f Refactor cfg.onFlightState, avoid data race
• f5e908f Update CI configs to v0.11.19
• 58d3b7e Update lint rules, force testify/assert
• e57dc04 Update social media links, move to discord

v3.0.6

Compare Source

What's Changed

• Revert rollback Go version bump by Renovate by @​JoeTurki in #​700

Full Changelog: pion/dtls@v3.0.5...v3.0.6

v3.0.5

Compare Source

Changelog

• fbc7bae Update docker.io/library/golang Docker tag to v1.24 (#​694)
• 13b929b Update module golang.org/x/net to v0.37.0 (#​697)
• 3a0f50a Use crypto.Signer whenever possible (#​681)
• 16d6306 Update module golang.org/x/net to v0.34.0 (#​693)
• 8eb9a91 Upgrade golangci-lint, more linters
• 1c0df61 Update module github.com/pion/logging to v0.2.3 (#​691)
• 1e4ae60 Update module golang.org/x/net to v0.33.0 [SECURITY]
• ceb8458 Update module golang.org/x/crypto to v0.31.0 [SECURITY]
• 4e34db5 Update module golang.org/x/net to v0.31.0
• 02434c7 Update module golang.org/x/crypto to v0.29.0

v3.0.4

Compare Source

Changelog

• b3e02c4 Update module golang.org/x/net to v0.30.0
• 3f61fd2 Fix RSA signature verification issue
• d796437 Improve fuzzing

v3.0.3

Compare Source

Changelog

• 98a05d6 Fix incorrect client retransmissions
• d7f5fee Update module golang.org/x/net to v0.29.0
• 0be603a Update module golang.org/x/crypto to v0.27.0
• 0790369 Update module golang.org/x/net to v0.28.0
• f13eec1 Update module golang.org/x/crypto to v0.26.0
• e193dc2 Update go.mod version to 1.20

v3.0.2

Compare Source

Changelog

• 1a02350 Fix race between Conn.Close and Conn.Handshake
• 032d60c Update CI configs to v0.11.15
• f6ecbc2 Update docker.io/library/golang Docker tag to v1.23
• fd18984 Fix pkg.go.dev link

v3.0.1

Compare Source

Changelog

• e20b162 Fix multiple calls to Handshake
• f3e8a9e Fix segfault in State::serialize method
• 5a72b12 Update module github.com/pion/transport/v3 to v3.0.7
• c5ab822 Update module golang.org/x/net to v0.27.0
• 23674bd Update module golang.org/x/crypto to v0.25.0
• 7ab74fb Add support for MKI in use_srtp
• 7139e0e Fix time units in example
• 2ed7caa Update module github.com/pion/transport/v3 to v3.0.6

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: e2e/monitor/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/pion/logging	v0.2.2 -> v0.2.4
github.com/stretchr/testify	v1.10.0 -> v1.11.1

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!