CVE-2026-62994 in CoreDNSinfo

Summary

by MITRE • 07/16/2026

CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared ports; plugin/kubernetes/object/endpoint.go creates Port: -1, plugin/k8s_external/msg_to_dns.go skips that service, plugin/k8s_external/transfer.go sends an empty []dns.RR batch, and plugin/transfer/transfer.go indexes records[0] without checking the batch is non-empty. This issue is fixed in version 1.14.5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability affects CoreDNS versions between 1.9.4 and 1.14.5, specifically when configured with k8s_external plugin and headless service zone transfers. The flaw manifests when Kubernetes contains a headless service endpoint without declared ports, creating a condition where the endpoint object is processed with Port: -1 in the kubernetes/object/endpoint.go component. This negative port value causes downstream processing issues that ultimately lead to a panic condition.

The technical execution path begins with the k8s_external plugin's handling of headless services where endpoints lack explicit port declarations. When such endpoints are encountered, the system creates Port: -1 in the endpoint object representation. Subsequently, the plugin/k8s_external/msg_to_dns.go component processes these entries but skips the service due to invalid port values. However, this skipping process results in an empty []dns.RR batch being generated, which then flows to plugin/transfer/transfer.go where the code attempts to index records[0] without verifying that the batch contains any elements. This direct indexing of an empty array causes a panic condition that crashes the CoreDNS server.

The operational impact of this vulnerability is significant as it represents a denial-of-service condition that can be triggered by any external DNS client capable of requesting AXFR (zone transfer) operations against a vulnerable CoreDNS instance. Attackers can exploit this by crafting malicious DNS queries that target specific Kubernetes headless services with improperly configured endpoints, potentially causing service disruption in containerized environments where CoreDNS serves as the primary DNS resolver. This vulnerability affects deployments using the k8s_external plugin configuration combined with Kubernetes headless services, which are common in microservices architectures and stateful applications.

The vulnerability aligns with CWE-129, Input Validation, and CWE-476, NULL Pointer Dereference, while also mapping to ATT&CK technique T1499.004 for Network Denial of Service. The root cause stems from inadequate input validation and error handling within the DNS transfer processing pipeline. Organizations using CoreDNS with k8s_external plugin should immediately upgrade to version 1.14.5 or later where this vulnerability has been patched. Additionally, administrators should review their Kubernetes service configurations to ensure headless services properly declare ports, and implement monitoring for unexpected DNS panic conditions that could indicate exploitation attempts.

This issue demonstrates the complexity of DNS server security in containerized environments where multiple plugins interact with Kubernetes API objects. The cascade of processing errors from invalid endpoint port handling to empty batch indexing illustrates how seemingly minor configuration issues can lead to critical system failures. The fix implemented in version 1.14.5 addresses the core problem by adding proper bounds checking before array indexing operations, ensuring that transfer operations gracefully handle empty DNS record batches rather than crashing on null or empty data structures.

Responsible

GitHub M

Reservation

07/15/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!