Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26018 is a high-severity denial of service (DoS) vulnerability in CoreDNS's loop detection plugin affecting versions prior to 1.14.2."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the plugin uses a predictable pseudo-random number generator (PRNG) seeded with the current time to generate a secret query name (qname). An attacker who can guess or observe this qname can send specially crafted DNS queries that cause the plugin to detect a forwarding loop.'}, {'type': 'paragraph', 'content': 'When the plugin detects three or more matching HINFO queries with the secret qname, it calls a fatal error handler that immediately terminates the CoreDNS process without cleanup or recovery, crashing the DNS server.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can cause complete DNS resolution failure within Kubernetes clusters using CoreDNS.

• The DNS server crashes and stops responding due to the fatal termination triggered by crafted queries.
• This leads to cascading service discovery failures across the cluster.
• Persistent attacks may cause crash-restart loops, resulting in broad application-level disruptions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for repeated HINFO DNS queries with the same secret query name (qname) generated by the CoreDNS loop detection plugin. An attacker sends three or more matching HINFO queries with a predictable qname to trigger the denial of service.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can inspect CoreDNS logs for repeated HINFO queries with identical qnames, especially if they occur in quick succession.'}, {'type': 'paragraph', 'content': 'Since the qname is generated using a predictable pseudo-random number generator seeded with the server start time, if you have access to logs, you can identify the qname values used in these queries.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools to filter for HINFO DNS queries targeting your CoreDNS server, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> udp port 53 and 'udp[10] = 16' # Filters for DNS HINFO queries (type 16)"}, {'type': 'list_item', 'content': 'Alternatively, use tshark to filter and analyze DNS query types:'}, {'type': 'list_item', 'content': "tshark -i <interface> -Y 'dns.qry.type == 16' -T fields -e dns.qry.name"}, {'type': 'paragraph', 'content': 'Review the output for repeated identical qnames in HINFO queries, which may indicate an attempt to exploit the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade CoreDNS to version 1.14.2 or later, where the vulnerability has been patched by fixing the predictable PRNG seeding and the fatal error handling.

Until the upgrade can be performed, consider restricting network access to the CoreDNS server to trusted sources only, to reduce the risk of an attacker sending crafted HINFO queries.

Additionally, monitor CoreDNS logs and network traffic for suspicious repeated HINFO queries as a temporary detection measure.

Useful 0 Not Useful 0