2445242 – (CVE-2026-26018) CVE-2026-26018 github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation

Bug 2445242 (CVE-2026-26018) - CVE-2026-26018 github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation

Summary: CVE-2026-26018 github.com/coredns/coredns: CoreDNS: Denial of Service vulnera...

Keywords:
Status:	NEW
Alias:	CVE-2026-26018
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-06 16:02 UTC by OSIDB Bzimport
Modified:	2026-03-06 18:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-06 16:02:01 UTC

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.

Note You need to log in before you can comment on or make changes to this bug.