NIXPKGS-2026-0528

GitHub issue published on 7 Mar 2026

Permalink CVE-2026-26018

updated 1 week, 1 day ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt accepted 1 week, 1 day ago
@mweinelt published on GitHub 1 week, 1 day ago

CoreDNS Loop Detection Denial of Service Vulnerability

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.

References

https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278 x_refsource_CONFIRM
https://github.com/coredns/coredns/releases/tag/v1.14.2 x_refsource_MISC

Affected products

coredns

==< 1.14.2

Matching in nixpkgs

pkgs.coredns

DNS server that runs middleware

nixos-unstable 1.14.1
- nixpkgs-unstable 1.14.1
- nixos-unstable-small 1.14.1
nixos-25.11 1.13.2
- nixos-25.11-small 1.13.2
- nixpkgs-25.11-darwin 1.13.2

Package maintainers

@rushmorem Rushmore Mushambi <rushmore@webenchanter.com>
@DeltaEvo Duarte David <deltaduartedavid@gmail.com>
@rtreffer Rene Treffer <treffer+nixos@measite.de>

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0528

References

Affected products

Matching in nixpkgs

pkgs.coredns

Package maintainers