CVE-2026-26018
📋 TL;DR
A denial of service vulnerability in CoreDNS's loop detection plugin allows attackers to crash DNS servers by sending specially crafted DNS queries. The vulnerability affects CoreDNS versions prior to 1.14.2 due to predictable pseudo-random number generation combined with a fatal error handler. Organizations running vulnerable CoreDNS instances are affected.
💻 Affected Systems
- CoreDNS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS service outage causing unavailability of DNS resolution for all dependent services and applications.
Likely Case
Intermittent DNS server crashes leading to service disruptions and degraded DNS resolution performance.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.
🎯 Exploit Status
Exploitation requires sending specially crafted DNS queries but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.2
Vendor Advisory: https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278
Restart Required: Yes
Instructions:
1. Download CoreDNS 1.14.2 or later from GitHub releases. 2. Stop the current CoreDNS service. 3. Replace the binary with the patched version. 4. Restart the CoreDNS service. 5. Verify the service is running correctly.
🔧 Temporary Workarounds
Disable loop detection plugin
allRemove or disable the loop detection plugin from CoreDNS configuration to eliminate the vulnerable component.
Edit Corefile to remove 'loop' plugin from server blocks
Network filtering
linuxImplement network ACLs to restrict DNS queries to trusted sources only.
iptables -A INPUT -p udp --dport 53 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s trusted_networks -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP
🧯 If You Can't Patch
- Implement rate limiting on DNS queries to reduce attack surface
- Deploy redundant DNS servers with load balancing to maintain service during attacks
🔍 How to Verify
Check if Vulnerable:
Check CoreDNS version with 'coredns -version' and verify it's below 1.14.2Check Version:
coredns -versionVerify Fix Applied:
Confirm version is 1.14.2 or higher with 'coredns -version' and test DNS resolution functionality📡 Detection & Monitoring
Log Indicators:
- CoreDNS process crashes or restarts
- Fatal error messages related to loop detection
- Unusual spike in DNS query volume
Network Indicators:
- Repeated DNS queries with similar patterns
- DNS queries to non-existent or malformed domains
- Unusual source IPs sending high volumes of DNS queries
SIEM Query:
source="coredns" AND ("fatal" OR "panic" OR "crash") OR (dns.query_count > threshold)