DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26018: CVE-2026-26018: Remote Denial of Service in CoreDNS Loop Detection Plugin via Predictable PRNG

#security #cve #cybersecurity

CVE-2026-26018: Remote Denial of Service in CoreDNS Loop Detection Plugin via Predictable PRNG

Vulnerability ID: CVE-2026-26018
CVSS Score: 7.5
Published: 2026-03-06

CoreDNS, the default DNS server for Kubernetes, contains a critical Denial of Service (DoS) vulnerability in its loop detection plugin. The plugin uses a non-cryptographically secure pseudo-random number generator (PRNG) seeded with the current timestamp to generate self-test query names. An unauthenticated remote attacker can predict this seed or observe the query in logs to craft a matching UDP packet. Upon receiving a response that matches the predictable query name, the CoreDNS process triggers a fatal error and terminates, leading to a complete service outage.

TL;DR

The CoreDNS loop plugin < 1.14.2 generates predictable loop detection queries using math/rand seeded with the current time. Attackers can guess the query name or read it from logs, then send matching packets to the server. This triggers a false positive loop detection that calls log.Fatalf, crashing the DNS service instantly.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-26018
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (UDP)
  • CWE: CWE-337 (Predictable Seed)
  • CWE: CWE-770 (Resource Allocation)
  • Exploit Status: PoC Available
  • KEV Listed: No

Affected Systems

  • CoreDNS < 1.14.2
  • Kubernetes clusters using default CoreDNS configuration
  • Managed Kubernetes services (EKS, AKS, GKE) running older CoreDNS versions
  • CoreDNS: < 1.14.2 (Fixed in: 1.14.2)

Mitigation Strategies

  • Update CoreDNS to version 1.14.2 or later immediately.
  • Disable the loop plugin in the Corefile configuration if updating is not feasible.
  • Restrict access to CoreDNS logs to privileged users only.
  • Implement NetworkPolicies to restrict DNS access to valid internal CIDR ranges.

Remediation Steps:

  1. Identify the current CoreDNS version: kubectl get deployment coredns -n kube-system -o jsonpath='{.spec.template.spec.containers[0].image}'
  2. Update the container image to coredns/coredns:1.14.2.
  3. Verify the update by checking the image tag and ensuring the pods are Running.
  4. Alternative (Workaround): Edit the ConfigMap (kubectl edit configmap coredns -n kube-system) and remove the loop line from the Corefile configuration.

References

Read the full report for CVE-2026-26018 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)