Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
CoreDNS DNS Server Can Be Crashed by Malicious DNS Queries
CVE-2026-26018
GHSA-h75p-j8xm-m278
GHSA-h75p-j8xm-m278
Summary
The CoreDNS DNS server can be crashed by a specially crafted DNS query if you're using an outdated version. This could disrupt your internet connection and require a restart. Update to version 1.14.2 or later to fix this issue.
What to do
- Update github.com coredns to version 1.14.2.
- Update coredns github.com/coredns/coredns to version 1.14.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | coredns | <= 1.14.2 | 1.14.2 |
| coredns | github.com/coredns/coredns | <= 1.14.2 | 1.14.2 |
| coredns.io | coredns | <= 1.14.2 | – |
Original title
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by ...
Original description
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.
nvd CVSS3.1
7.5
Vulnerability type
CWE-337
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026