CVE-2026-26018Predictable Seed in Pseudo-Random Number Generator in Coredns

CWE-337Predictable Seed in Pseudo-Random Number GeneratorCWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-1241Use of Predictable Algorithm in Random Number Generator8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 77.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
CorednsGithub.com Coredns CorednsCoredns.io Coredns+2 more
Timeline
PublishedMar 6
Latest updateMar 10

Description

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5coredns/coredns< 1.14.2
NVDcoredns.io/coredns< 1.14.2

🔴Vulnerability Details

3
OSV
CoreDNS Loop Detection Denial of Service Vulnerability in github.com/coredns/coredns2026-03-10
OSV
CoreDNS Loop Detection Denial of Service Vulnerability2026-03-06
GHSA
CoreDNS Loop Detection Denial of Service Vulnerability2026-03-06

📋Vendor Advisories

2
Microsoft
CoreDNS Loop Detection Denial of Service Vulnerability2026-03-10
Red Hat
github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation2026-03-06

🕵️Threat Intelligence

2
Bleepingcomputer
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws2026-03-10
Wiz
CVE-2026-26018 Impact, Exploitability, and Mitigation Steps | Wiz