A network DNS client can trigger a panic in CoreDNS versions 1.9.4 to 1.14.4 when configured with k8s_external headless-service zone transfers and a Kubernetes headless service endpoint with no declared ports exists. The issue is resolved in CoreDNS version 1.14.5. This panic occurs due to the handling of headless services without ports in the k8s_external plugin and transfer process.
A security issue was found in CoreDNS, a DNS server written in Go, which can cause the process to crash when the proxyproto plugin is enabled. This occurs when a single 28-byte UDP datagram is received, specifically if it contains a PROXY v2 header with a non-UDP transport, such as family byte 0x11. The issue arises from how the PacketConn.ReadFrom function in plugin/pkg/proxyproto/proxyproto.go handles e [truncated]
CVE-2026-62299 is a vulnerability in the CoreDNS rewrite plugin that can cause a panic and return SERVFAIL or crash the CoreDNS process via a single ordinary DNS query matching a specific edns0 rewrite rule. This issue is fixed in version 1.14.5. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The affected product is CoreDNS, and the vulnerability is related to the rewrite plugin. The [truncated]