Vulnerability-Lookup

WID-SEC-W-2026-1283

Vulnerability from csaf_certbund - Published: 2026-04-26 22:00 - Updated: 2026-06-10 22:00

Summary

CoreDNS: Mehrere Schwachstellen ermöglichen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: CoreDNS ist ein DNS server.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in CoreDNS ausnutzen, um Sicherheitsmaßnahmen zu umgehen und so vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-33190

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source CoreDNS <1.14.3 Open Source / CoreDNS		<1.14.3
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3

CVE-2026-33489

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source CoreDNS <1.14.3 Open Source / CoreDNS		<1.14.3
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3

CVE-2026-35579

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source CoreDNS <1.14.3 Open Source / CoreDNS		<1.14.3
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3

CVE-2026-32934

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source CoreDNS <1.14.3 Open Source / CoreDNS		<1.14.3
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3

CVE-2026-32936

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source CoreDNS <1.14.3 Open Source / CoreDNS		<1.14.3
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3

References

10 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/coredns/coredns/security/advis…	external
https://github.com/coredns/coredns/security/advis…	external
https://github.com/coredns/coredns/security/advis…	external
https://github.com/coredns/coredns/security/advis…	external
https://github.com/coredns/coredns/security/advis…	external
https://lists.opensuse.org/archives/list/security…	external
https://msrc.microsoft.com/update-guide/	external
https://access.redhat.com/errata/RHSA-2026:25127	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "CoreDNS ist ein DNS server.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in CoreDNS ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und so vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1283 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1283.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1283 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1283"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-2wpx-qpw2-g5h5 vom 2026-04-26",
        "url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-63cw-r7xf-jmwr vom 2026-04-26",
        "url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-h8mm-c463-wjq3 vom 2026-04-26",
        "url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-qhmp-q7xh-99rh vom 2026-04-26",
        "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-vp29-5652-4fw9 vom 2026-04-26",
        "url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10673-1 vom 2026-05-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q3OZSPPM6XK6DDXQVFJ4HPEX7OWUAW42/"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-05-12",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:25127 vom 2026-06-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:25127"
      }
    ],
    "source_lang": "en-US",
    "title": "CoreDNS: Mehrere Schwachstellen erm\u00f6glichen",
    "tracking": {
      "current_release_date": "2026-06-10T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-11T10:21:00.199+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1283",
      "initial_release_date": "2026-04-26T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von European Union Vulnerability Database und openSUSE aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-06-10T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.14.3",
                "product": {
                  "name": "Open Source CoreDNS \u003c1.14.3",
                  "product_id": "T053352"
                }
              },
              {
                "category": "product_version",
                "name": "1.14.3",
                "product": {
                  "name": "Open Source CoreDNS 1.14.3",
                  "product_id": "T053352-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:coredns:coredns:1.14.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "CoreDNS"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33190",
      "product_status": {
        "known_affected": [
          "T053352",
          "67646",
          "T027843",
          "T049210"
        ]
      },
      "release_date": "2026-04-26T22:00:00.000+00:00",
      "title": "CVE-2026-33190"
    },
    {
      "cve": "CVE-2026-33489",
      "product_status": {
        "known_affected": [
          "T053352",
          "67646",
          "T027843",
          "T049210"
        ]
      },
      "release_date": "2026-04-26T22:00:00.000+00:00",
      "title": "CVE-2026-33489"
    },
    {
      "cve": "CVE-2026-35579",
      "product_status": {
        "known_affected": [
          "T053352",
          "67646",
          "T027843",
          "T049210"
        ]
      },
      "release_date": "2026-04-26T22:00:00.000+00:00",
      "title": "CVE-2026-35579"
    },
    {
      "cve": "CVE-2026-32934",
      "product_status": {
        "known_affected": [
          "T053352",
          "67646",
          "T027843",
          "T049210"
        ]
      },
      "release_date": "2026-04-26T22:00:00.000+00:00",
      "title": "CVE-2026-32934"
    },
    {
      "cve": "CVE-2026-32936",
      "product_status": {
        "known_affected": [
          "T053352",
          "67646",
          "T027843",
          "T049210"
        ]
      },
      "release_date": "2026-04-26T22:00:00.000+00:00",
      "title": "CVE-2026-32936"
    }
  ]
}

CVE-2026-32934 (GCVE-0-2026-32934)

Vulnerability from cvelistv5 – Published: 2026-05-05 19:06 – Updated: 2026-05-06 15:14

Title

CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
https://github.com/coredns/coredns/releases/tag/v1.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32934",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T15:14:18.362180Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T15:14:54.790Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T19:06:17.080Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5"
        },
        {
          "name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-2wpx-qpw2-g5h5",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32934",
    "datePublished": "2026-05-05T19:06:17.080Z",
    "dateReserved": "2026-03-17T00:05:53.282Z",
    "dateUpdated": "2026-05-06T15:14:54.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32936 (GCVE-0-2026-32936)

Vulnerability from cvelistv5 – Published: 2026-05-05 19:07 – Updated: 2026-05-05 19:32

Title

CoreDNS DoH GET path missing size validation causes CPU and memory amplification

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
https://github.com/coredns/coredns/releases/tag/v1.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32936",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T19:32:21.653054Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T19:32:25.341Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T19:07:51.926Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr"
        },
        {
          "name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-63cw-r7xf-jmwr",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS DoH GET path missing size validation causes CPU and memory amplification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32936",
    "datePublished": "2026-05-05T19:07:51.926Z",
    "dateReserved": "2026-03-17T00:05:53.282Z",
    "dateUpdated": "2026-05-05T19:32:25.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33190 (GCVE-0-2026-33190)

Vulnerability from cvelistv5 – Published: 2026-05-05 19:02 – Updated: 2026-05-06 12:47

Title

CoreDNS TSIG authentication bypass on encrypted DNS transports

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-303 - Incorrect Implementation of Authentication Algorithm

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
https://github.com/coredns/coredns/releases/tag/v1.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33190",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T12:46:45.291268Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T12:47:07.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T19:02:55.374Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
        },
        {
          "name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-qhmp-q7xh-99rh",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS TSIG authentication bypass on encrypted DNS transports"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33190",
    "datePublished": "2026-05-05T19:02:55.374Z",
    "dateReserved": "2026-03-17T22:16:36.721Z",
    "dateUpdated": "2026-05-06T12:47:07.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33489 (GCVE-0-2026-33489)

Vulnerability from cvelistv5 – Published: 2026-05-05 19:13 – Updated: 2026-05-05 19:43

Title

CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.

Severity

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
https://github.com/coredns/coredns/releases/tag/v1.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33489",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T19:43:02.806824Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T19:43:06.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., \"example.org.\" \u003e \"a.example.org.\" lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T19:13:48.461Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
        },
        {
          "name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-h8mm-c463-wjq3",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33489",
    "datePublished": "2026-05-05T19:13:48.461Z",
    "dateReserved": "2026-03-20T16:16:48.971Z",
    "dateUpdated": "2026-05-05T19:43:06.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35579 (GCVE-0-2026-35579)

Vulnerability from cvelistv5 – Published: 2026-05-05 20:29 – Updated: 2026-05-06 14:30

Title

CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports

Summary

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.

Severity

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35579",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T14:30:00.602863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T14:30:35.454Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.\n\nAn unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.\n\nThis issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T20:29:16.903Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9"
        }
      ],
      "source": {
        "advisory": "GHSA-vp29-5652-4fw9",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35579",
    "datePublished": "2026-05-05T20:29:16.903Z",
    "dateReserved": "2026-04-03T20:09:02.827Z",
    "dateUpdated": "2026-05-06T14:30:35.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1283

CVE-2026-32934 (GCVE-0-2026-32934)

CVE-2026-32936 (GCVE-0-2026-32936)

CVE-2026-33190 (GCVE-0-2026-33190)

CVE-2026-33489 (GCVE-0-2026-33489)

CVE-2026-35579 (GCVE-0-2026-35579)

Tags

Sightings

Nomenclature