cbcvebase.
CVE-2026-35579
published 2026-05-05

CVE-2026-35579: CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.6th percentile
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.

Affected

6 ranges
VendorProductVersion rangeFixed in
coredns.iocoredns< 1.14.31.14.3
corednscoredns< 1.14.31.14.3
github.comcoredns_coredns>= 0 < 1.14.31.14.3
openshift4ose-coredns-rhel9
rhacm2lighthouse-agent-rhel9
rhacm2lighthouse-coredns-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • For gRPC/QUIC transports: TSIG authentication bypass occurs when key name matches a configured key but HMAC is never validated (dns.TsigVerify() is never called); detect DNS requests over gRPC or QUIC carrying a TSIG record with any MAC value that are accepted as authenticated.
  • For DoH/DoH3 transports: any DNS request containing a TSIG record is treated as authenticated regardless of key name or MAC value; monitor DoH/DoH3 traffic for TSIG records with invalid or arbitrary key names being accepted, especially for AXFR/IXFR or dynamic update requests.
  • Monitor for unauthorized AXFR/IXFR zone transfer requests or dynamic DNS update requests arriving over gRPC, QUIC, DoH, or DoH3 transports, which may indicate exploitation of the TSIG bypass.
  • DoH/DoH3 exploitation has a lower bar: attacker does not need a valid TSIG key name. Alert on any DoH/DoH3 DNS request carrying a TSIG record, particularly those requesting zone transfers or dynamic updates.
  • ·Vulnerability affects CoreDNS versions prior to 1.14.3 only; upgrade to 1.14.3 to remediate. Red Hat packages rhacm2/lighthouse-agent-rhel9, rhacm2/lighthouse-coredns-rhel9, and openshift4/ose-coredns-rhel9 are confirmed affected.
  • ·TSIG bypass only applies to gRPC, QUIC, DoH, and DoH3 transports; standard DNS-over-UDP/TCP TSIG handling is not described as affected. Detection rules should be scoped to these specific transports.
  • ·The tsigStatus field remaining nil is the root indicator of bypass for gRPC/QUIC; for DoH/DoH3 the DoHWriter.TsigStatus() method unconditionally returns nil regardless of input, meaning no per-request state distinguishes legitimate from malicious traffic at the application layer without patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.