CVE-2026-25518
Unknown Unknown - Not Provided
Denial of Service via DNS Cache Poisoning in cert-manager

Publication date: 2026-02-04

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25518
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cert-manager cert-manager From 1.18.0 (inc) to 1.18.5 (exc)
cert-manager cert-manager From 1.19.0 (inc) to 1.19.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Compliance Impact

I don't know

Impact Analysis

The primary impact of this vulnerability is a denial-of-service (DoS) condition on the cert-manager controller. If an attacker intercepts or controls DNS traffic, they can cause the cert-manager controller to panic and crash, disrupting the process of obtaining, renewing, and using certificates within Kubernetes clusters. This disruption can affect the availability of certificate management services, potentially impacting applications and services that rely on cert-manager for TLS certificates.

Executive Summary

This vulnerability exists in cert-manager versions 1.18.0 to before 1.18.5 and 1.19.0 to before 1.19.3. The cert-manager-controller performs DNS lookups during ACME DNS-01 processing using standard unencrypted DNS by default. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. When cert-manager accesses this malicious entry, it triggers a panic, causing the cert-manager controller to crash and resulting in a denial-of-service (DoS). The vulnerability can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Mitigation Strategies

To mitigate this vulnerability, upgrade cert-manager to version 1.18.5 or later if you are using the 1.18.x series, or to version 1.19.3 or later if you are using the 1.19.x series.

This update patches the issue where unencrypted DNS lookups during ACME DNS-01 processing could be exploited to cause a denial-of-service by triggering a panic in the cert-manager controller.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart