CVE-2026-26018

CVE-2026-26018 is a high-severity security vulnerability in github.com/coredns/coredns (go), affecting versions < 1.14.2. It is fixed in 1.14.2.

Summary

Executive Summary

A Denial of Service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.

Technical Details

Vulnerability Description

The CoreDNS loop plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (qname) using Go's math/rand package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.

The vulnerability arises from two design flaws:

  1. Predictable PRNG Seed: The random number generator is seeded with time.Now().UnixNano(), making the generated qname predictable if an attacker knows the approximate server start time.

  2. Fatal Error Handler: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls log.Fatalf() which invokes os.Exit(1), immediately terminating the process without cleanup or recovery.

Affected Code

File: plugin/loop/setup.go

// PRNG seeded with predictable timestamp
var r = rand.New(time.Now().UnixNano())

// Qname generation using two consecutive PRNG calls
func qname(zone string) string {
    l1 := strconv.Itoa(r.Int())
    l2 := strconv.Itoa(r.Int())
    return dnsutil.Join(l1, l2, zone)
}

File: plugin/loop/loop.go

func (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
    // ... validation checks ...
    
    if state.Name() == l.qname {
        l.inc()  // Increment counter
    }

    if l.seen() > 2 {
        // FATAL: Terminates entire process
        log.Fatalf("Loop (%s -> %s) detected for zone %q...", ...)
    }
    
    // ...
}

File: plugin/pkg/log/log.go

func Fatalf(format string, v ...any) {
    logf(fatal, format, v...)
    os.Exit(1)  // Immediate process termination
}

Exploitation Window

The loop plugin remains active during the following conditions:

Condition Window Duration Attack Feasibility
Healthy startup 2 seconds Requires precise timing
Self-test failure (upstream unreachable) 30 seconds HIGH - Extended window
Network degradation Variable Depends on retry behavior

Attack Scenario

Primary Attack Vector: Network Degradation

When the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin's self-test fails repeatedly. During this period:

  1. The loop plugin remains active for up to 30 seconds
  2. Each self-test attempt generates an HINFO query visible in CoreDNS logs
  3. An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname
  4. The attacker sends 3 HINFO queries with the observed qname
  5. The server immediately crashes
┌──────────────────────────────────────────────────────────────────────────┐
│                         ATTACK TIMELINE                                  │
├──────────────────────────────────────────────────────────────────────────┤
│ T+0s     CoreDNS starts, PRNG seeded with UnixNano()                     │
│ T+0.5s   Self-test HINFO query sent (visible in logs)                    │
│ T+2s     Self-test fails (upstream timeout)                              │
│ T+3s     Retry #1 - counter resets, qname unchanged                      │
│ T+5s     Retry #2 - attacker observes qname in logs                      │
│ T+5.1s   ATTACKER: Send HINFO #1 → counter = 1                           │
│ T+5.2s   ATTACKER: Send HINFO #2 → counter = 2                           │
│ T+5.3s   ATTACKER: Send HINFO #3 → counter = 3 → os.Exit(1)              │
│ T+5.3s   SERVER CRASHES                                                  │
└──────────────────────────────────────────────────────────────────────────┘

Impact Assessment

Attack Requirements

Requirement Notes
Network Access Must be able to send UDP packets to CoreDNS port
Log Access Required to observe the qname (common in shared clusters)
Timing Extended window during network degradation
Authentication None required

Real-World Impact

CoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:

  1. Disruption: All DNS resolution fails within the cluster
  2. Cascading Failures: Services unable to discover each other
  3. Restart Loop: If attack persists, CoreDNS enters crash-restart cycle
  4. Data Plane Impact: Application-level failures across the cluster

References

Impact

CVE-2026-26018 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.14.2); upgrading removes the vulnerable code path.

Affected versions

github.com/coredns/coredns (< 1.14.2)

Security releases

github.com/coredns/coredns → 1.14.2 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/coredns/coredns to 1.14.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-26018? CVE-2026-26018 is a high-severity security vulnerability in github.com/coredns/coredns (go), affecting versions < 1.14.2. It is fixed in 1.14.2.
  2. How severe is CVE-2026-26018? CVE-2026-26018 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/coredns/coredns are affected by CVE-2026-26018? github.com/coredns/coredns (go) versions < 1.14.2 is affected.
  4. Is there a fix for CVE-2026-26018? Yes. CVE-2026-26018 is fixed in 1.14.2. Upgrade to this version or later.
  5. Is CVE-2026-26018 exploitable, and should I be worried? Whether CVE-2026-26018 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-26018 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-26018? Upgrade github.com/coredns/coredns to 1.14.2 or later.

Other vulnerabilities in github.com/coredns/coredns

CVE-2026-35579CVE-2026-33190CVE-2026-32936CVE-2026-32934CVE-2026-26018

Stop the waste.
Protect your environment with Kodem.