CVE-2026-26018
- Source
- https://cve.org/CVERecord?id=CVE-2026-26018
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26018.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26018
- Aliases
- Downstream
- Related
- Published
- 2026-03-06T15:35:50.801Z
- Modified
- 2026-03-14T06:14:02.529149841Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- CoreDNS Loop Detection Denial of Service Vulnerability
- Details
-
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-337", "CWE-400", "CWE-770" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26018.json" }- References
Affected packages
Git / github.com/coredns/coredns
Affected ranges
- Type
- GIT
- Repo
- https://github.com/coredns/coredns
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9.10
v0.9.9
Other
v001
v002
v003
v004
v005
v006
v007
v008
v009
v010
v011
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.5
v1.0.6
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.11.3
v1.11.4
v1.12.0
v1.12.1
v1.12.2
v1.12.3
v1.12.4
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4