Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26018

CVE-2026-26018: CoreDNS Denial of Service Vulnerability

CVE-2026-26018 is a denial of service vulnerability in CoreDNS that allows attackers to crash the DNS server with crafted queries. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-26018 Overview

CVE-2026-26018 is a denial of service vulnerability affecting CoreDNS, a popular DNS server that chains plugins. The vulnerability exists in CoreDNS's loop detection plugin and allows an attacker to crash the DNS server by sending specially crafted DNS queries. The flaw stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.

Critical Impact

Attackers can exploit this vulnerability to crash CoreDNS servers remotely without authentication, causing DNS service outages that may affect all dependent services and applications.

Affected Products

  • CoreDNS versions prior to 1.14.2
  • Systems running CoreDNS with the loop detection plugin enabled
  • Kubernetes clusters using CoreDNS as the default DNS provider

Discovery Timeline

  • 2026-03-06 - CVE-2026-26018 published to NVD
  • 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-26018

Vulnerability Analysis

This vulnerability is classified under CWE-337 (Predictable Seed in Pseudo-Random Number Generator). The root issue lies in how CoreDNS generates secret query names used by its loop detection mechanism. The loop detection plugin is designed to prevent DNS query loops, but its implementation uses a predictable PRNG that can be exploited by attackers who can predict or brute-force the generated secret values.

When an attacker successfully predicts the secret query name and sends a crafted DNS query, the loop detection plugin incorrectly identifies it as a loop condition. The fatal error handler then terminates the entire CoreDNS process rather than gracefully handling the condition, resulting in a complete denial of service.

Root Cause

The vulnerability originates from two compounding issues:

  1. Predictable PRNG Usage: The loop detection plugin uses a predictable pseudo-random number generator to create secret query names. This allows attackers to potentially predict or enumerate the secret values used for loop detection.

  2. Fatal Error Handler: When a loop is detected (legitimately or through exploitation), the plugin triggers a fatal error that terminates the entire CoreDNS process instead of implementing a more graceful error handling mechanism.

The combination of these weaknesses allows remote, unauthenticated attackers to reliably crash CoreDNS servers.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Analyzing or predicting the secret query name generated by the vulnerable PRNG
  2. Crafting DNS queries that include the predicted secret query name
  3. Sending the malicious queries to the target CoreDNS server
  4. Triggering the loop detection mechanism, which invokes the fatal error handler
  5. Causing the CoreDNS process to terminate, resulting in DNS service disruption

The attack can be executed remotely over the network, making it particularly dangerous for internet-facing DNS servers and Kubernetes clusters that rely on CoreDNS for service discovery.

Detection Methods for CVE-2026-26018

Indicators of Compromise

  • Unexpected CoreDNS process terminations or restarts in system logs
  • Sudden DNS resolution failures across dependent services
  • Unusual DNS query patterns with suspicious query names targeting the CoreDNS server
  • Container or pod restart events in Kubernetes clusters running CoreDNS

Detection Strategies

  • Monitor CoreDNS logs for fatal error messages related to loop detection
  • Implement DNS query logging to identify anomalous query patterns
  • Set up alerting for CoreDNS process crashes or unexpected restarts
  • Deploy network monitoring to detect high-volume DNS query attacks

Monitoring Recommendations

  • Configure centralized logging for all CoreDNS instances to correlate crash events
  • Implement health checks and automated alerting for DNS service availability
  • Monitor Kubernetes cluster events for CoreDNS pod restart patterns
  • Review DNS traffic baselines to identify deviations that may indicate exploitation attempts

How to Mitigate CVE-2026-26018

Immediate Actions Required

  • Upgrade CoreDNS to version 1.14.2 or later immediately
  • Review CoreDNS deployment configurations to ensure the loop plugin is properly configured
  • Implement rate limiting for DNS queries if not already in place
  • Consider temporary workarounds if immediate patching is not possible

Patch Information

The vulnerability has been patched in CoreDNS version 1.14.2. The fix addresses both the predictable PRNG issue and improves the error handling mechanism to prevent process termination. Organizations should upgrade to this version or later as soon as possible.

For detailed patch information, refer to the GitHub CoreDNS Release v1.14.2 and the GitHub Security Advisory GHSA-h75p-j8xm-m278.

Workarounds

  • If immediate patching is not possible, consider disabling the loop detection plugin temporarily while weighing the risk of DNS loops against denial of service
  • Implement network-level access controls to restrict DNS query sources to trusted networks
  • Deploy redundant CoreDNS instances to maintain service availability in case of exploitation
  • Use a web application firewall or DNS firewall to filter suspicious DNS query patterns
bash
# Verify CoreDNS version and upgrade if necessary
coredns -version

# For Kubernetes deployments, update the CoreDNS image
kubectl set image deployment/coredns coredns=coredns/coredns:1.14.2 -n kube-system

# Verify the upgrade was successful
kubectl get pods -n kube-system -l k8s-app=kube-dns -o jsonpath='{.items[*].spec.containers[*].image}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.