cert-manager-controller DoS via Specially Crafted DNS Response
Description
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cert-manager/cert-managerGo | >= 1.18.0, < 1.18.5 | 1.18.5 |
github.com/cert-manager/cert-managerGo | >= 1.19.0, < 1.19.3 | 1.19.3 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/aws-privateca-issuerpkg:apk/chainguard/aws-privateca-issuer-fipspkg:apk/chainguard/cert-manager-cmctlpkg:apk/chainguard/cert-manager-cmctl-fipspkg:apk/chainguard/cert-manager-csi-driverpkg:apk/chainguard/cert-manager-csi-driver-fipspkg:apk/chainguard/cert-manager-google-cas-issuerpkg:apk/chainguard/cert-manager-google-cas-issuer-fipspkg:apk/chainguard/cert-manager-istio-csrpkg:apk/chainguard/cert-manager-istio-csr-fipspkg:apk/chainguard/cert-manager-openshift-routespkg:apk/chainguard/cert-manager-openshift-routes-fipspkg:apk/chainguard/cert-manager-webhook-pdnspkg:apk/chainguard/cert-manager-webhook-pdns-fipspkg:apk/chainguard/gitlab-operatorpkg:apk/chainguard/gitlab-operator-fipspkg:apk/chainguard/mariadb-operatorpkg:apk/chainguard/mariadb-operator-fipspkg:apk/chainguard/opentelemetry-operatorpkg:apk/chainguard/opentelemetry-operator-fipspkg:apk/chainguard/percona-server-mongodb-operatorpkg:apk/chainguard/percona-server-mongodb-operator-fipspkg:apk/chainguard/percona-xtradb-cluster-operatorpkg:apk/chainguard/percona-xtradb-cluster-operator-fipspkg:apk/chainguard/percona-xtradb-cluster-operator-fips-pitrpkg:apk/chainguard/percona-xtradb-cluster-operator-pitrpkg:apk/chainguard/step-issuerpkg:apk/chainguard/step-issuer-fipspkg:apk/wolfi/aws-privateca-issuerpkg:apk/wolfi/cert-manager-cmctlpkg:apk/wolfi/cert-manager-csi-driverpkg:apk/wolfi/cert-manager-istio-csrpkg:apk/wolfi/cert-manager-webhook-pdnspkg:apk/wolfi/mariadb-operatorpkg:apk/wolfi/opentelemetry-operatorpkg:apk/wolfi/percona-server-mongodb-operatorpkg:apk/wolfi/step-issuerpkg:bitnami/cert-managerpkg:golang/github.com/cert-manager/cert-managerpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.8.0-r3+ 39 more
- (no CPE)range: < 1.8.0-r3
- (no CPE)range: < 1.8.0-r2
- (no CPE)range: < 2.4.0-r3
- (no CPE)range: < 2.4.0-r3
- (no CPE)range: < 0.12.0-r2
- (no CPE)range: < 0.12.0-r2
- (no CPE)range: < 0.10.2-r2
- (no CPE)range: < 0.10.2-r2
- (no CPE)range: < 0.15.0-r2
- (no CPE)range: < 0.15.0-r2
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 0.8.4-r2
- (no CPE)range: < 2.5.3-r6
- (no CPE)range: < 2.5.3-r6
- (no CPE)range: < 2.8.2-r1
- (no CPE)range: < 2.8.2-r1
- (no CPE)range: < 26.3.0-r1
- (no CPE)range: < 26.3.0-r1
- (no CPE)range: < 0.144.0-r3
- (no CPE)range: < 0.144.0-r1
- (no CPE)range: < 1.21.2-r3
- (no CPE)range: < 1.21.2-r2
- (no CPE)range: < 1.19.0-r2
- (no CPE)range: < 1.19.0-r1
- (no CPE)range: < 1.19.0-r1
- (no CPE)range: < 1.19.0-r2
- (no CPE)range: < 0.9.11-r2
- (no CPE)range: < 0.9.11-r3
- (no CPE)range: < 1.8.0-r3
- (no CPE)range: < 2.4.0-r3
- (no CPE)range: < 0.12.0-r2
- (no CPE)range: < 0.15.0-r2
- (no CPE)range: < 2.5.3-r6
- (no CPE)range: < 26.3.0-r1
- (no CPE)range: < 0.144.0-r3
- (no CPE)range: < 1.21.2-r3
- (no CPE)range: < 0.9.11-r2
- (no CPE)range: >= 1.18.0, < 1.18.5
- (no CPE)range: >= 1.18.0, < 1.18.5
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: >= 1.18.0, < 1.18.5
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-gx3x-vq4p-mhhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25518ghsaADVISORY
- github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2ccghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327dghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2ghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/pull/8467ghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/pull/8468ghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/pull/8469ghsax_refsource_MISCWEB
- github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhvghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4399ghsaWEB
News mentions
0No linked articles in our index yet.