443 matches found
CVE-2026-62299
CoreDNS (rewrite plugin, edns0.go) prior to version 1.14.5 could panic when a downstream plugin returns a response with no OPT record. The code path in edns0.go dereferenced a DNS OPT without a nil check, triggered by a query matching a rewrite edns0 rule (local/nsid/subnet with set/append/replac...
CVE-2026-62309
CoreDNS (Go) vulnerability CVE-2026-62309 affects the proxyproto plugin. A crafted PROXY v2 header with a non-UDP transport (family 0x11) can cause a crash via PacketConn.ReadFrom, where a nil readFrom result is reinterpreted after a failed parse and addr.String() is logged before crash recovery....
CVE-2026-62994 CoreDNS `k8s_external` headless AXFR can emit an empty transfer batch that panics the `transfer` plugin
CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8sexternal headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared port...
OESA-2026-2939 coredns security update
CoreDNS is a fast and flexible DNS server. The key word here is flexible: with CoreDNS you are able to do what you want with your DNS data by utilizing plugins. Security Fixes: CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS acce...
GO-2026-5667 CoreDNS has TSIG authentication bypass on gRPC and QUIC transports in github.com/coredns/coredns
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports in github.com/coredns/coredns...
OESA-2026-2720 coredns security update
CoreDNS is a fast and flexible DNS server. The key word here is flexible: with CoreDNS you are able to do what you want with your DNS data by utilizing plugins. Security Fixes: CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd...
Photon OS 4.0: Coredns PHSA-2026-4.0-1038
An update of the coredns package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-1038. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...
Critical Photon OS Security Update - PHSA-2026-4.0-1038
Updates of 'python3-pip', 'coredns', 'erlang', 'rsync', 'redis' packages of Photon OS have been released...
Photon OS 5.0: Coredns PHSA-2026-5.0-0869
An update of the coredns package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0869. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...
CVE-2026-39821 affecting package coredns for versions less than 1.11.4-17
CVE-2026-39821 affecting package coredns for versions less than 1.11.4-17. A patched version of the package is available...
CVE-2026-32936
A flaw was found in CoreDNS, a DNS server that chains plugins. A remote, unauthenticated attacker can exploit this vulnerability by repeatedly sending oversized DNS-over-HTTPS DoH GET requests. The GET path, unlike the POST path, lacks size validation before processing large dns= query parameter...
CVE-2026-32934
A flaw was found in CoreDNS, a DNS server that chains plugins. The DNS-over-QUIC DoQ server is vulnerable to unbounded resource growth. An unauthenticated remote attacker can exploit this by opening numerous QUIC streams and sending only one byte per stream, causing the server to spawn excessive...
CVE-2026-33489
A flaw was found in CoreDNS. An unauthorized remote client can exploit a vulnerability in the transfer plugin's Access Control List ACL stanza selection. This occurs when both a parent zone and a more-specific subzone are configured, and the longestMatch function incorrectly uses a lexicographic...
GO-2026-4969 CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns
CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns...
PT-2026-42372
CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns...
CVE-2026-35579 affecting package coredns for versions less than 1.11.4-16
CVE-2026-35579 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...
CVE-2026-33489 affecting package coredns for versions less than 1.11.4-16
CVE-2026-33489 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...
CVE-2026-32936 affecting package coredns for versions less than 1.11.4-16
CVE-2026-32936 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...
CVE-2026-32934 affecting package coredns for versions less than 1.11.4-16
CVE-2026-32934 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...
CVE-2026-35579
A flaw was found in CoreDNS. An unauthenticated network attacker can exploit incorrect handling of TSIG Transaction Signature authentication in the gRPC, QUIC, DoH DNS over HTTPS, and DoH3 transport implementations. This vulnerability allows an attacker to bypass TSIG protection, leading to...