Summary
Executive Summary
A Denial of Service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.
Technical Details
Vulnerability Description
The CoreDNS loop plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (qname) using Go's math/rand package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.
The vulnerability arises from two design flaws:
Predictable PRNG Seed: The random number generator is seeded with
time.Now().UnixNano(), making the generated qname predictable if an attacker knows the approximate server start time.Fatal Error Handler: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls
log.Fatalf()which invokesos.Exit(1), immediately terminating the process without cleanup or recovery.
Affected Code
File: plugin/loop/setup.go
// PRNG seeded with predictable timestamp
var r = rand.New(time.Now().UnixNano())
// Qname generation using two consecutive PRNG calls
func qname(zone string) string {
l1 := strconv.Itoa(r.Int())
l2 := strconv.Itoa(r.Int())
return dnsutil.Join(l1, l2, zone)
}
File: plugin/loop/loop.go
func (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
// ... validation checks ...
if state.Name() == l.qname {
l.inc() // Increment counter
}
if l.seen() > 2 {
// FATAL: Terminates entire process
log.Fatalf("Loop (%s -> %s) detected for zone %q...", ...)
}
// ...
}
File: plugin/pkg/log/log.go
func Fatalf(format string, v ...any) {
logf(fatal, format, v...)
os.Exit(1) // Immediate process termination
}
Exploitation Window
The loop plugin remains active during the following conditions:
| Condition | Window Duration | Attack Feasibility |
|---|---|---|
| Healthy startup | 2 seconds | Requires precise timing |
| Self-test failure (upstream unreachable) | 30 seconds | HIGH - Extended window |
| Network degradation | Variable | Depends on retry behavior |
Attack Scenario
Primary Attack Vector: Network Degradation
When the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin's self-test fails repeatedly. During this period:
- The loop plugin remains active for up to 30 seconds
- Each self-test attempt generates an HINFO query visible in CoreDNS logs
- An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname
- The attacker sends 3 HINFO queries with the observed qname
- The server immediately crashes
┌──────────────────────────────────────────────────────────────────────────┐
│ ATTACK TIMELINE │
├──────────────────────────────────────────────────────────────────────────┤
│ T+0s CoreDNS starts, PRNG seeded with UnixNano() │
│ T+0.5s Self-test HINFO query sent (visible in logs) │
│ T+2s Self-test fails (upstream timeout) │
│ T+3s Retry #1 - counter resets, qname unchanged │
│ T+5s Retry #2 - attacker observes qname in logs │
│ T+5.1s ATTACKER: Send HINFO #1 → counter = 1 │
│ T+5.2s ATTACKER: Send HINFO #2 → counter = 2 │
│ T+5.3s ATTACKER: Send HINFO #3 → counter = 3 → os.Exit(1) │
│ T+5.3s SERVER CRASHES │
└──────────────────────────────────────────────────────────────────────────┘
Impact Assessment
Attack Requirements
| Requirement | Notes |
|---|---|
| Network Access | Must be able to send UDP packets to CoreDNS port |
| Log Access | Required to observe the qname (common in shared clusters) |
| Timing | Extended window during network degradation |
| Authentication | None required |
Real-World Impact
CoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:
- Disruption: All DNS resolution fails within the cluster
- Cascading Failures: Services unable to discover each other
- Restart Loop: If attack persists, CoreDNS enters crash-restart cycle
- Data Plane Impact: Application-level failures across the cluster
References
- CoreDNS GitHub: https://github.com/coredns/coredns
- Loop Plugin Documentation: https://coredns.io/plugins/loop/
- Go math/rand Documentation: https://pkg.go.dev/math/rand
Impact
CVE-2026-26018 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.14.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-26018? CVE-2026-26018 is a high-severity security vulnerability in github.com/coredns/coredns (go), affecting versions < 1.14.2. It is fixed in 1.14.2.
- How severe is CVE-2026-26018? CVE-2026-26018 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/coredns/coredns are affected by CVE-2026-26018? github.com/coredns/coredns (go) versions < 1.14.2 is affected.
- Is there a fix for CVE-2026-26018? Yes. CVE-2026-26018 is fixed in 1.14.2. Upgrade to this version or later.
- Is CVE-2026-26018 exploitable, and should I be worried? Whether CVE-2026-26018 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-26018 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-26018? Upgrade
github.com/coredns/corednsto 1.14.2 or later.