CVE-2026-62994
Received
Received - Intake
CoreDNS DNS Server Panic via Empty AXFR Response
Vulnerability report for CVE-2026-62994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-16
Last updated on: 2026-07-16
Assigner: GitHub, Inc.
Description
Description
CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared ports; plugin/kubernetes/object/endpoint.go creates Port: -1, plugin/k8s_external/msg_to_dns.go skips that service, plugin/k8s_external/transfer.go sends an empty []dns.RR batch, and plugin/transfer/transfer.go indexes records[0] without checking the batch is non-empty. This issue is fixed in version 1.14.5.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | From 1.9.4 (inc) to 1.14.5 (exc) |
| coredns | coredns | 1.14.5 |
| coredns | coredns | to 1.14.5 (inc) |
| coredns | coredns | 1.9.4 |
| coredns | coredns | 1.14.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
| CWE-248 | An exception is thrown from a function, but it is not caught. |