🟠 High  |  Source: Microsoft Security Response Center


A nil-pointer dereference vulnerability in CoreDNS’s rewrite plugin can cause a remote denial-of-service (DoS) condition. When a downstream plugin returns a DNS response lacking an OPT record, the EDNS0 response-revert logic panics, crashing the CoreDNS process. This is exploitable remotely, making it a meaningful availability risk for any Kubernetes or Azure workload relying on CoreDNS for DNS resolution.

Security Architect’s Take: Identify all environments using CoreDNS with the rewrite plugin enabled — particularly AKS clusters and self-managed Kubernetes on Azure — and apply the patched CoreDNS version as soon as it is available. As an interim measure, consider restricting external DNS query paths and monitoring for unexpected CoreDNS process restarts.

Original advisory: CVE-2026-62299 CoreDNS: rewrite-plugin EDNS0 response-revert nil-pointer panic (remote DoS) when a downstream plugin returns a response with no OPT record