Skip to main content

CoreDNS CVE-2026-62299

| EUVDEUVD-2026-45020 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-16 GitHub_M
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

DNS is network-accessible with no auth or interaction required; A:L reflects the default SERVFAIL outcome, with crash only when non-default debug directive is active.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:31 vuln.today
Analysis Generated
Jul 16, 2026 - 20:31 vuln.today
CVE Published
Jul 16, 2026 - 19:44 cve.org
MEDIUM 5.3

DescriptionCVE.org

CoreDNS is a DNS server written in Go. Prior to 1.14.5, the CoreDNS rewrite plugin supports edns0 rewrite rules with an optional revert flag, and two response rules, edns0SetResponseRule and edns0ReplaceResponseRule[T] in plugin/rewrite/edns0.go, call res.IsEdns0() and immediately dereference the returned *dns.OPT without a nil check when a downstream plugin returns a response with no OPT record. A remote, unauthenticated client can send a single ordinary DNS query matching a rewrite edns0 <local|nsid|subnet> <set|append|replace> ... revert rule, causing ResponseReverter in plugin/rewrite/reverter.go to panic, return SERVFAIL, and degrade availability, or crash the CoreDNS process if the debug directive disables recovery. This issue is fixed in version 1.14.5.

AnalysisAI

Nil pointer dereference in CoreDNS prior to 1.14.5 allows remote unauthenticated attackers to crash or degrade the DNS server by sending a single ordinary DNS query. The rewrite plugin's edns0 response rules dereference the result of IsEdns0() without a nil check; when a downstream plugin returns a response lacking an OPT record, the ResponseReverter panics, returning SERVFAIL in default deployments or terminating the CoreDNS process entirely when the debug directive is active. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send DNS query matching edns0 revert rewrite rule
Delivery
Downstream handler returns response without OPT record
Exploit
ResponseReverter calls IsEdns0(), receives nil pointer
Execution
Nil dereference triggers Go panic
Persist
CoreDNS returns SERVFAIL or process terminates (debug mode)
Impact
DNS resolution unavailable for all cluster workloads

Vulnerability AssessmentAI

Exploitation Exploitation requires that the CoreDNS rewrite plugin is configured with at least one edns0 rewrite rule that includes the optional revert flag - specifically using the form 'rewrite edns0 <local|nsid|subnet> <set|append|replace> ... … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L accurately reflects the default-deployment outcome: a SERVFAIL response rather than a process crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a CoreDNS instance that has an edns0 rewrite revert rule configured sends a single standard DNS A query (no OPT record required) for a domain matching the rule's pattern. CoreDNS rewrites the request, forwards it to a downstream handler, and the handler returns a response without an OPT record; during response post-processing, the ResponseReverter dereferences a nil pointer and panics. …
Remediation Upgrade CoreDNS to version 1.14.5, which contains the nil-guard fix introduced in commit fc447d0658b093edc8cd29a6b171216a44a644c2 via PR #8190; the release is at https://github.com/coredns/coredns/releases/tag/v1.14.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy