CVE-2022-29190: 
Linux Debian vulnerability analysis and mitigation

Pion DTLS, a Go implementation of Datagram Transport Layer Security, was found to be vulnerable to an infinite loop condition in versions prior to 2.1.4. The vulnerability (CVE-2022-29190) was discovered by Juho Nurminen and the Mattermost team and disclosed on May 10, 2022. The issue affects all versions of Pion DTLS up to and including version 2.1.3 (GitHub Advisory).

The vulnerability exists in the header reconstruction method where an attacker can send specially crafted packets that cause Pion DTLS to enter an infinite loop during processing. The issue occurs when the fragmentBuffer attempts to process zero-length fragments, which results in an endless loop since the append operation doesn't make any progress. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low complexity and requires no privileges or user interaction (GitHub Advisory).

The vulnerability primarily affects system availability. When successfully exploited, it can cause the DTLS implementation to enter an infinite loop, effectively creating a denial of service condition. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability (GitHub Advisory).

The vulnerability has been fixed in Pion DTLS version 2.1.4. Users are strongly advised to upgrade to this version as there are no known workarounds available. The fix prevents the infinite loop by adding a check for zero-length fragments in the fragment processing logic (GitHub Release, GitHub Commit).