You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
coredns
About this tag
CoreDNS is the default DNS server for many Kubernetes clusters, and the tag covers security vulnerabilities and operational guidance for maintaining cluster DNS reliability. Recent discussions focus on high-severity CVEs, including CVE-2026-26018, a denial-of-service flaw in the loop plugin that can crash CoreDNS, and CVE-2026-26017, a TOCTOU ordering bug that bypasses DNS access controls. Also covered is CVE-2024-0874, a caching bug involving the Checking Disabled flag that affects Azure Linux and AKS. Topics include patch guidance, plugin ordering, and mitigation strategies for Kubernetes and multi-tenant deployments.
CoreDNS has been assigned CVE-2026-26018 — a high-severity denial-of-service vulnerability in the loop plugin that can be triggered remotely by an attacker who can send carefully crafted DNS queries and (under realistic cluster conditions) crash the CoreDNS process, with wide-reaching...
CoreDNS's latest security advisory reveals a deceptively simple logic bug that can let DNS access controls be sidestepped — a Time-of-Check Time-of-Use (TOCTOU) ordering flaw now tracked as CVE-2026-26017 — and while the fix landed quickly in CoreDNS 1.14.2, this vulnerability exposes hardened...
CoreDNS’s CVE-2024-0874 — a caching bug that can cause responses fetched with the DNS CD (Checking Disabled) flag to be stored and later served to queries missing that flag — is a real, practical risk for any environment that runs CoreDNS. The vulnerability was disclosed upstream in April 2024...