CVE-2026-25518
Unknown Unknown - Not Provided
Denial of Service via DNS Cache Poisoning in cert-manager

Publication date: 2026-02-04

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25518
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cert-manager cert-manager From 1.18.0 (inc) to 1.18.5 (exc)
cert-manager cert-manager From 1.19.0 (inc) to 1.19.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial-of-service (DoS) condition on the cert-manager controller. If an attacker intercepts or controls DNS traffic, they can cause the cert-manager controller to panic and crash, disrupting the process of obtaining, renewing, and using certificates within Kubernetes clusters. This disruption can affect the availability of certificate management services, potentially impacting applications and services that rely on cert-manager for TLS certificates.


Can you explain this vulnerability to me?

This vulnerability exists in cert-manager versions 1.18.0 to before 1.18.5 and 1.19.0 to before 1.19.3. The cert-manager-controller performs DNS lookups during ACME DNS-01 processing using standard unencrypted DNS by default. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. When cert-manager accesses this malicious entry, it triggers a panic, causing the cert-manager controller to crash and resulting in a denial-of-service (DoS). The vulnerability can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade cert-manager to version 1.18.5 or later if you are using the 1.18.x series, or to version 1.19.3 or later if you are using the 1.19.x series.

This update patches the issue where unencrypted DNS lookups during ACME DNS-01 processing could be exploited to cause a denial-of-service by triggering a panic in the cert-manager controller.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart