Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
AXFR request is network-delivered with no auth, AC:H reflects multi-condition prerequisite; A:L as Kubernetes restarts CoreDNS pod; no confidentiality or integrity impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared ports; plugin/kubernetes/object/endpoint.go creates Port: -1, plugin/k8s_external/msg_to_dns.go skips that service, plugin/k8s_external/transfer.go sends an empty []dns.RR batch, and plugin/transfer/transfer.go indexes records[0] without checking the batch is non-empty. This issue is fixed in version 1.14.5.
AnalysisAI
Unhandled Go runtime panic in CoreDNS 1.9.4 through 1.14.4 allows a network-reachable DNS client with AXFR permission to crash the CoreDNS process via a zone transfer request, causing a denial of service against cluster DNS. The crash path is triggered only when the k8s_external plugin is configured for headless-service zone transfers and Kubernetes contains a headless service with no declared ports - a condition that causes an empty record batch to be forwarded to plugin/transfer/transfer.go, where an unchecked index access (records[0]) panics the Go runtime. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must simultaneously hold: (1) CoreDNS must be configured with the k8s_external plugin specifically handling headless-service zone transfers - this is a non-default, operator-configured deployment mode; (2) the Kubernetes cluster must contain at least one headless service endpoint with no declared ports, which causes plugin/kubernetes/object/endpoint.go to generate Port: -1 internally; and (3) the attacker must have AXFR access permitted by the CoreDNS transfer plugin ACL from their network location - AXFR is not open by default and typically restricted to trusted secondaries. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L accurately reflects a remotely triggerable but conditionally gated denial of service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A network client permitted to send AXFR requests to a CoreDNS instance sends a zone transfer request for a zone managed by the k8s_external plugin. If the Kubernetes cluster contains any headless service with no declared ports - even an unused or test service - the transfer plugin encounters an empty DNS record batch and panics on the unchecked records[0] access, immediately crashing the CoreDNS process. … |
| Remediation | Upgrade CoreDNS to version 1.14.5, confirmed fixed per the vendor release at https://github.com/coredns/coredns/releases/tag/v1.14.5 and fix commit ab318db7b4a3a19273852ed627f54888198c8efb. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45018