🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in CoreDNS’s proxyproto plugin causes it to panic and crash when it receives a specifically crafted 28-byte Proxy Protocol version 2 (PPv2) datagram over a non-UDP transport. An unauthenticated remote attacker can exploit this with a single malicious packet, making it trivially easy to take down DNS resolution in affected environments. Any Kubernetes or Azure service relying on CoreDNS for internal DNS is at risk of a denial-of-service outage.

Security Architect’s Take: Identify all environments running CoreDNS with the proxyproto plugin enabled — this is particularly relevant for AKS clusters and self-managed Kubernetes on Azure. Apply the patched CoreDNS release as a priority, and in the interim consider restricting network access to CoreDNS endpoints and disabling the proxyproto plugin if it is not operationally required.

Original advisory: CVE-2026-62309 CoreDNS: proxyproto plugin panics on PPv2 datagram with non-UDP transport — single 28-byte packet remote DoS