CVE-2026-62299
Received Received - Intake

CoreDNS DoS via EDNS0 Rewrite Plugin OPT Dereference

Vulnerability report for CVE-2026-62299, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

CoreDNS is a DNS server written in Go. Prior to 1.14.5, the CoreDNS rewrite plugin supports edns0 rewrite rules with an optional revert flag, and two response rules, edns0SetResponseRule and edns0ReplaceResponseRule[T] in plugin/rewrite/edns0.go, call res.IsEdns0() and immediately dereference the returned *dns.OPT without a nil check when a downstream plugin returns a response with no OPT record. A remote, unauthenticated client can send a single ordinary DNS query matching a rewrite edns0 <local|nsid|subnet> <set|append|replace> ... revert rule, causing ResponseReverter in plugin/rewrite/reverter.go to panic, return SERVFAIL, and degrade availability, or crash the CoreDNS process if the debug directive disables recovery. This issue is fixed in version 1.14.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coredns coredns to 1.14.5 (exc)
coredns coredns 1.14.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62299 is a denial-of-service vulnerability in CoreDNS versions up to 1.14.4. It occurs in the rewrite plugin's EDNS0 response-revert feature. When a downstream plugin returns a response without an OPT record, the plugin's functions call IsEdns0() which returns nil, then dereference this nil pointer without checking, causing a panic. This leads to SERVFAIL responses or crashes if debug mode is enabled.

Detection Guidance

To detect this vulnerability, check if your CoreDNS version is below 1.14.5 using the command: coredns -version. If the version is 1.14.4 or earlier, the system is vulnerable. Additionally, monitor CoreDNS logs for SERVFAIL responses or process crashes, especially when EDNS0 rewrite rules are configured.

Impact Analysis

This vulnerability allows a remote attacker to send a single DNS query that triggers a panic in CoreDNS. In default configurations, this causes SERVFAIL responses for affected queries, degrading service availability. If debug mode is enabled, the entire CoreDNS process crashes, completely stopping DNS resolution.

Compliance Impact

This vulnerability primarily causes a denial of service by crashing CoreDNS or degrading service for affected queries. It does not directly impact data confidentiality or integrity, which are key focus areas for GDPR and HIPAA. However, prolonged service degradation could indirectly affect compliance by disrupting access to critical systems or data processing operations.

Mitigation Strategies

Upgrade CoreDNS to version 1.14.5 or later immediately. If upgrading is not possible, disable the rewrite plugin or avoid using EDNS0 response-revert rules in the configuration. Ensure debug mode is disabled to prevent process crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart