๐Ÿ” CVE Alert

CVE-2026-62309

HIGH 7.5

CoreDNS: proxyproto plugin panics on PPv2 datagram with non-UDP transport โ€” single 28-byte packet remote DoS

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

CoreDNS is a DNS server written in Go. Prior to 1.14.4, a single 28-byte UDP datagram can crash the CoreDNS process when the proxyproto plugin is enabled because plugin/pkg/proxyproto/proxyproto.go PacketConn.ReadFrom handles a PROXY v2 header with non-UDP transport such as family byte 0x11, reassigns addr from a nil readFrom result after parseProxyProtocol errors, and calls addr.String() in the warning log before ServeDNS recovery applies. This issue is fixed in version 1.14.4.

CWE CWE-476
Vendor coredns
Product coredns
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for coredns coredns

Be the first to know when new high vulnerabilities affecting coredns coredns are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

coredns / coredns
< 1.14.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coredns/coredns/security/advisories/GHSA-9rvv-m5g5-wc8r github.com: https://github.com/coredns/coredns/pull/8154 github.com: https://github.com/coredns/coredns/commit/60a439dd4febfcd78e3779e952fe3fbf3c16bb1f github.com: https://github.com/coredns/coredns/releases/tag/v1.14.4