Skip to main content

CoreDNS CVE-2026-62309

| EUVDEUVD-2026-45019 HIGH
NULL Pointer Dereference (CWE-476)
2026-07-16 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

A single unauthenticated remote datagram reliably crashes the process (AV:N/AC:L/PR:N/UI:N) with availability-only impact; the proxyproto config precondition is not a CVSS metric so A:H, C/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:30 vuln.today
Analysis Generated
Jul 16, 2026 - 20:30 vuln.today
CVE Published
Jul 16, 2026 - 19:42 cve.org
HIGH 7.5

DescriptionCVE.org

CoreDNS is a DNS server written in Go. Prior to 1.14.4, a single 28-byte UDP datagram can crash the CoreDNS process when the proxyproto plugin is enabled because plugin/pkg/proxyproto/proxyproto.go PacketConn.ReadFrom handles a PROXY v2 header with non-UDP transport such as family byte 0x11, reassigns addr from a nil readFrom result after parseProxyProtocol errors, and calls addr.String() in the warning log before ServeDNS recovery applies. This issue is fixed in version 1.14.4.

AnalysisAI

Remote denial of service in CoreDNS versions prior to 1.14.4 allows an unauthenticated attacker to crash the DNS server with a single 28-byte UDP datagram when the proxyproto plugin is enabled. The malformed PROXY protocol v2 header triggers a nil pointer dereference in the PacketConn.ReadFrom log path, killing the process before per-request recovery can intervene. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach CoreDNS UDP:53 with proxyproto enabled
Delivery
Craft PPv2 header with family 0x11
Exploit
Send single 28-byte datagram
Execution
parseProxyProtocol errors, addr set nil
Persist
addr.String() nil deref panics outside recover
Impact
CoreDNS process crashes, DNS outage

Vulnerability AssessmentAI

Exploitation Exploitation requires the CoreDNS proxyproto plugin to be enabled and the attacker to be able to send a UDP datagram to the CoreDNS listener; the malicious packet must carry a valid PROXY protocol v2 signature but declare a non-UDP transport family byte (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is credible for the availability-only impact: a network attacker with no privileges or user interaction sends one small datagram to crash the daemon. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the CoreDNS UDP port of a server running the proxyproto plugin sends a single 28-byte datagram whose PROXY v2 header declares a non-UDP transport family (0x11). Parsing fails, addr becomes nil, and the warning-log call to addr.String() panics outside recovery, terminating the CoreDNS process and taking down DNS resolution. …
Remediation Vendor-released patch: 1.14.4 - upgrade CoreDNS to v1.14.4 or later (https://github.com/coredns/coredns/releases/tag/v1.14.4), which changes ReadFrom to log using a preserved peer address instead of the nil-reassigned addr (PR https://github.com/coredns/coredns/pull/8154, commit 60a439dd4febfcd78e3779e952fe3fbf3c16bb1f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit CoreDNS deployments to identify affected versions (prior to 1.14.4) and instances with the proxyproto plugin enabled, documenting all production DNS servers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy