CVE-2026-62309
Received Received - Intake

Denial of Service in CoreDNS via PROXY Protocol

Vulnerability report for CVE-2026-62309, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

CoreDNS is a DNS server written in Go. Prior to 1.14.4, a single 28-byte UDP datagram can crash the CoreDNS process when the proxyproto plugin is enabled because plugin/pkg/proxyproto/proxyproto.go PacketConn.ReadFrom handles a PROXY v2 header with non-UDP transport such as family byte 0x11, reassigns addr from a nil readFrom result after parseProxyProtocol errors, and calls addr.String() in the warning log before ServeDNS recovery applies. This issue is fixed in version 1.14.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coredns coredns to 1.14.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in CoreDNS involves a crash caused by a malformed PROXY protocol v2 header. When the proxyproto plugin is enabled, a single 28-byte UDP datagram with a non-UDP transport type (like TCPv4) can trigger a nil pointer dereference in the PacketConn.ReadFrom function. This leads to a crash of the CoreDNS process before request handling begins, making the DNS listener unavailable until restarted.

Detection Guidance

To detect this vulnerability, monitor CoreDNS logs for crashes or SIGSEGV errors when the proxyproto plugin is enabled. Check for malformed PROXY protocol v2 packets with non-UDP transport types (e.g., TCPv4) by analyzing network traffic with tools like tcpdump or Wireshark. Commands: tcpdump -i any -w cve_2026_62309.pcap 'port 53 and udp' to capture DNS traffic, then inspect for 28-byte PROXY protocol packets.

Impact Analysis

The vulnerability allows a remote, unauthenticated attacker to crash the CoreDNS process with a single malformed packet. This causes the DNS service to become unavailable, leading to downtime and potential disruptions in DNS resolution for affected systems. The attack is repeatable and durable, requiring no special privileges.

Compliance Impact

This vulnerability primarily impacts availability by causing CoreDNS to crash, which could lead to service disruptions. For compliance standards like GDPR or HIPAA that require high availability of critical services, repeated crashes could result in non-compliance due to prolonged downtime of DNS resolution services.

Mitigation Strategies

Immediately upgrade CoreDNS to version 1.14.4 or later. If upgrading is not possible, disable the proxyproto plugin or restrict allowed source addresses to trusted load balancers. Ensure per-request panic recovery is enabled in CoreDNS configuration to minimize downtime during crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart