CVE-2026-26018
HIGH
GHSA-h75p-j8xm-m278
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.
Analysis
Coredns versions up to 1.14.2 contains a vulnerability that allows attackers to crash the DNS server by sending specially crafted DNS queries (CVSS 7.5).
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all CoreDNS deployments and identify instances running versions 1.14.2 or earlier; validate current version in production. Within 7 days: Implement network-based rate limiting and query filtering to reduce attack surface; isolate CoreDNS infrastructure where possible; establish monitoring for abnormal DNS query patterns. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today