Skip to main content

Coredns CVE-2026-26017

MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-03-06 security-advisories@github.com GHSA-c9v3-4pv7-87pr
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
SUSE
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.7 (HIGH) 6.3 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 16:16 nvd
HIGH 7.7

DescriptionNVD

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.

AnalysisAI

CoreDNS versions prior to 1.14.2 allow authenticated attackers to bypass DNS access controls through a Time-of-Check Time-of-Use race condition in the plugin execution chain, where the rewrite plugin processes requests after security plugins like ACL have already validated them. An attacker with network access can exploit this logical flaw to access DNS records that should be restricted by configured access control policies. No patch is currently available for affected deployments.

Technical ContextAI

Affects Coredns. CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.

RemediationAI

Fixed in version 1.14.2.. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Tumbleweed Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed

Share

CVE-2026-26017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy