CVE-2026-25518 – This vulnerability in cert-manager allows attac... (How to Fix)

Q: What is the severity of CVE-2026-25518?

CVE-2026-25518 has a CVSS score of 5.9 (MEDIUM). This vulnerability in cert-manager allows attackers to cause denial-of-service by poisoning DNS caches during ACME DNS-01 challenge processing. Attackers who can intercept DNS traffic or control authoritative DNS servers can trigger a panic in the cert-manager controller. Organizations running affected cert-manager versions in Kubernetes clusters are vulnerable.

📋 TL;DR

This vulnerability in cert-manager allows attackers to cause denial-of-service by poisoning DNS caches during ACME DNS-01 challenge processing. Attackers who can intercept DNS traffic or control authoritative DNS servers can trigger a panic in the cert-manager controller. Organizations running affected cert-manager versions in Kubernetes clusters are vulnerable.

💻 Affected Systems

Products:

cert-manager

Versions: 1.18.0 to 1.18.4, 1.19.0 to 1.19.2

Operating Systems: All Kubernetes-supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using ACME DNS-01 challenges. HTTP-01 challenges are not affected.

📦 What is this software?

Cert Manager by Cert Manager

View all CVEs affecting Cert Manager →

Cert Manager by Cert Manager

View all CVEs affecting Cert Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial-of-service of cert-manager controller, preventing certificate issuance and renewal across the entire Kubernetes cluster, potentially causing service disruptions as certificates expire.

🟠

Likely Case

Temporary cert-manager controller crashes requiring pod restarts, causing delays in certificate issuance and renewal operations.

🟢

If Mitigated

Minimal impact with proper network segmentation and DNS security controls preventing DNS interception.

🌐 Internet-Facing: MEDIUM - Exploitation requires DNS interception or control of authoritative DNS servers, which is more feasible for internet-facing systems.

🏢 Internal Only: LOW - Requires internal DNS compromise or attacker already having network access to intercept DNS traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to intercept DNS traffic or control authoritative DNS servers for domains being validated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.5, 1.19.3

Vendor Advisory: https://github.com/cert-manager/cert-manager/security/advisories

Restart Required: Yes

Instructions:

1. Backup cert-manager configurations. 2. Update cert-manager using Helm: 'helm upgrade cert-manager jetstack/cert-manager --version 1.18.5' or '--version 1.19.3'. 3. Verify all cert-manager pods restart successfully. 4. Test certificate issuance.

🔧 Temporary Workarounds

Use HTTP-01 challenges

all

Switch from DNS-01 to HTTP-01 ACME challenges where possible

kubectl edit issuer <issuer-name>
Change solver type from DNS01 to HTTP01

Configure DNS over TLS

all

Configure cert-manager to use DNS over TLS for DNS lookups

Add 'dns01:' section with 'cnameStrategy: Follow' and configure DNS server with TLS support

🧯 If You Can't Patch

Implement network segmentation to protect cert-manager pod DNS traffic
Use dedicated, secured DNS servers for cert-manager with DNSSEC validation

🔍 How to Verify

Check if Vulnerable:

Check cert-manager version: 'kubectl get deployment cert-manager -o jsonpath="{.spec.template.spec.containers[0].image}"' and verify if version is between 1.18.0-1.18.4 or 1.19.0-1.19.2

Check Version:

kubectl get deployment cert-manager -o jsonpath="{.spec.template.spec.containers[0].image}" | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Verify cert-manager version is 1.18.5 or 1.19.3 or higher, and test DNS-01 certificate issuance

📡 Detection & Monitoring

Log Indicators:

cert-manager-controller pod crashes/restarts
Panic logs in cert-manager controller
DNS lookup errors during certificate issuance

Network Indicators:

Unusual DNS traffic patterns to/from cert-manager pods
DNS responses with malformed data to cert-manager

SIEM Query:

source="cert-manager" AND ("panic" OR "fatal" OR "crash")

📊 Metadata

CVE ID: CVE-2026-25518

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-129

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: February 4, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc Patch
https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d Patch
https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2 Patch
https://github.com/cert-manager/cert-manager/pull/8467 Issue Tracking,Patch
https://github.com/cert-manager/cert-manager/pull/8468 Issue Tracking,Patch
https://github.com/cert-manager/cert-manager/pull/8469 Issue Tracking,Patch
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25518, you might also want to check these: