PatchSiren cyber security CVE debrief
CVE-2026-62994 coredns CVE debrief
A network DNS client can trigger a panic in CoreDNS versions 1.9.4 to 1.14.4 when configured with k8s_external headless-service zone transfers and a Kubernetes headless service endpoint with no declared ports exists. The issue is resolved in CoreDNS version 1.14.5. This panic occurs due to the handling of headless services without ports in the k8s_external plugin and transfer process.
- Vendor
- coredns
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of CoreDNS, especially those using k8s_external plugin and headless services in Kubernetes, should be aware of this issue. They need to assess their exposure, review configurations, and plan for updates or mitigations as necessary.
Technical summary
The panic occurs because plugin/kubernetes/object/endpoint.go sets Port: -1 for headless services without ports, plugin/k8s_external/msg_to_dns.go skips these services, and plugin/k8s_external/transfer.go sends an empty []dns.RR batch. Then, plugin/transfer/transfer.go attempts to index records[0] without checking if the batch is empty, causing the panic. The issue is fixed by ensuring proper handling of empty batches in the transfer process.
Defensive priority
Low
Recommended defensive actions
- Update CoreDNS to version 1.14.5 or later
- Review and adjust k8s_external plugin configurations
- Monitor for unusual DNS requests and CoreDNS behavior
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
Official CVE and NVD records confirm the issue and its fix. Limited additional details are available. The issue involves CoreDNS versions 1.9.4 to 1.14.4, with a fix in version 1.14.5. The panic is triggered by a network DNS client requesting AXFR for a CoreDNS zone with specific configurations and a Kubernetes headless service endpoint with no declared ports.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.657Z and has not been modified since then.