PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62994 coredns CVE debrief

A network DNS client can trigger a panic in CoreDNS versions 1.9.4 to 1.14.4 when configured with k8s_external headless-service zone transfers and a Kubernetes headless service endpoint with no declared ports exists. The issue is resolved in CoreDNS version 1.14.5. This panic occurs due to the handling of headless services without ports in the k8s_external plugin and transfer process.

Vendor
coredns
Product
Unknown
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of CoreDNS, especially those using k8s_external plugin and headless services in Kubernetes, should be aware of this issue. They need to assess their exposure, review configurations, and plan for updates or mitigations as necessary.

Technical summary

The panic occurs because plugin/kubernetes/object/endpoint.go sets Port: -1 for headless services without ports, plugin/k8s_external/msg_to_dns.go skips these services, and plugin/k8s_external/transfer.go sends an empty []dns.RR batch. Then, plugin/transfer/transfer.go attempts to index records[0] without checking if the batch is empty, causing the panic. The issue is fixed by ensuring proper handling of empty batches in the transfer process.

Defensive priority

Low

Recommended defensive actions

  • Update CoreDNS to version 1.14.5 or later
  • Review and adjust k8s_external plugin configurations
  • Monitor for unusual DNS requests and CoreDNS behavior
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Official CVE and NVD records confirm the issue and its fix. Limited additional details are available. The issue involves CoreDNS versions 1.9.4 to 1.14.4, with a fix in version 1.14.5. The panic is triggered by a network DNS client requesting AXFR for a CoreDNS zone with specific configurations and a Kubernetes headless service endpoint with no declared ports.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.657Z and has not been modified since then.