PatchSiren

coredns CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW coredns CVE published 2026-07-16

CVE-2026-62994

A network DNS client can trigger a panic in CoreDNS versions 1.9.4 to 1.14.4 when configured with k8s_external headless-service zone transfers and a Kubernetes headless service endpoint with no declared ports exists. The issue is resolved in CoreDNS version 1.14.5. This panic occurs due to the handling of headless services without ports in the k8s_external plugin and transfer process.

HIGH coredns CVE published 2026-07-16

CVE-2026-62309

A security issue was found in CoreDNS, a DNS server written in Go, which can cause the process to crash when the proxyproto plugin is enabled. This occurs when a single 28-byte UDP datagram is received, specifically if it contains a PROXY v2 header with a non-UDP transport, such as family byte 0x11. The issue arises from how the PacketConn.ReadFrom function in plugin/pkg/proxyproto/proxyproto.go handles e [truncated]

MEDIUM coredns CVE published 2026-07-16

CVE-2026-62299

CVE-2026-62299 is a vulnerability in the CoreDNS rewrite plugin that can cause a panic and return SERVFAIL or crash the CoreDNS process via a single ordinary DNS query matching a specific edns0 rewrite rule. This issue is fixed in version 1.14.5. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The affected product is CoreDNS, and the vulnerability is related to the rewrite plugin. The [truncated]