CVE-2026-26017 — Time-of-check Time-of-use (TOCTOU) Race Condition in Coredns

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition8 documents7 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 81.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coredns Github.com Coredns Coredns Coredns.io Coredns +2 more

Timeline

PublishedMar 6

Latest updateMar 10

Description

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages5 packages

▶CVEListV5coredns/coredns< 1.14.2

▶NVDcoredns.io/coredns< 1.14.2

▶Gogithub.com/coredns_coredns< 1.14.2

▶msrcmsrc/azl3_coredns_1.11.4-14_on_azure_linux_3.0

▶msrcmsrc/cbl2_coredns_1.11.1-25_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CoreDNS ACL Bypass in github.com/coredns/coredns↗2026-03-10

▶

GHSA

CoreDNS ACL Bypass↗2026-03-06

▶

OSV

CoreDNS ACL Bypass↗2026-03-06

▶

📋Vendor Advisories

Microsoft

CoreDNS ACL Bypass↗2026-03-10

▶

Red Hat

github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw↗2026-03-06

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws↗2026-03-10

▶

Wiz

CVE-2026-26017 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶