Skip to main content

CoreDNS CVE-2026-62994

| EUVDEUVD-2026-45018 LOW
Uncaught Exception (CWE-248)
2026-07-16 GitHub_M
3.7
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

AXFR request is network-delivered with no auth, AC:H reflects multi-condition prerequisite; A:L as Kubernetes restarts CoreDNS pod; no confidentiality or integrity impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:22 vuln.today
Analysis Generated
Jul 16, 2026 - 20:22 vuln.today
CVE Published
Jul 16, 2026 - 19:39 cve.org
LOW 3.7

DescriptionCVE.org

CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared ports; plugin/kubernetes/object/endpoint.go creates Port: -1, plugin/k8s_external/msg_to_dns.go skips that service, plugin/k8s_external/transfer.go sends an empty []dns.RR batch, and plugin/transfer/transfer.go indexes records[0] without checking the batch is non-empty. This issue is fixed in version 1.14.5.

AnalysisAI

Unhandled Go runtime panic in CoreDNS 1.9.4 through 1.14.4 allows a network-reachable DNS client with AXFR permission to crash the CoreDNS process via a zone transfer request, causing a denial of service against cluster DNS. The crash path is triggered only when the k8s_external plugin is configured for headless-service zone transfers and Kubernetes contains a headless service with no declared ports - a condition that causes an empty record batch to be forwarded to plugin/transfer/transfer.go, where an unchecked index access (records[0]) panics the Go runtime. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify CoreDNS instance with AXFR permitted
Delivery
Confirm k8s_external plugin active on target zone
Exploit
Craft AXFR DNS request for that zone
Install
Empty record batch generated from portless headless service
C2
Unchecked records[0] index panics Go runtime
Execute
CoreDNS process crashes
Impact
Kubernetes cluster DNS unavailable until pod restart

Vulnerability AssessmentAI

Exploitation Three conditions must simultaneously hold: (1) CoreDNS must be configured with the k8s_external plugin specifically handling headless-service zone transfers - this is a non-default, operator-configured deployment mode; (2) the Kubernetes cluster must contain at least one headless service endpoint with no declared ports, which causes plugin/kubernetes/object/endpoint.go to generate Port: -1 internally; and (3) the attacker must have AXFR access permitted by the CoreDNS transfer plugin ACL from their network location - AXFR is not open by default and typically restricted to trusted secondaries. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately reflects a remotely triggerable but conditionally gated denial of service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A network client permitted to send AXFR requests to a CoreDNS instance sends a zone transfer request for a zone managed by the k8s_external plugin. If the Kubernetes cluster contains any headless service with no declared ports - even an unused or test service - the transfer plugin encounters an empty DNS record batch and panics on the unchecked records[0] access, immediately crashing the CoreDNS process. …
Remediation Upgrade CoreDNS to version 1.14.5, confirmed fixed per the vendor release at https://github.com/coredns/coredns/releases/tag/v1.14.5 and fix commit ab318db7b4a3a19273852ed627f54888198c8efb. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-62994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy