SB2026030624 - Multiple vulnerabilities in CoreDNS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Predictable Seed in Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2026-26018)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to usage of predictable pseudo-random number generator (PRNG) for generating a secret query name combined with a fatal error handler. A remote attacker can send specially crafted DNS queries to the server and perform a denial of service attack. 

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-26017)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to a race condition in the default execution order of plugins. A remote user can bypass implemented ACL restrictions and gain unauthorized access to protected systems. in multi-tenant Kubernetes clusters it is possible to bypass DNS-based segmentation and perform unauthorized service discovery and reconnaissance of restricted internal infrastructure.

Remediation

Install update from vendor's website.

References

• https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278
• https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr