VYPR

apk package

chainguard/eks-distro-coredns-1.36

pkg:apk/chainguard/eks-distro-coredns-1.36

Vulnerabilities (30)

  • CVE-2026-39830CriMay 22, 2026
    affected < 0fixed 0

    A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now

  • CVE-2026-39829HigMay 22, 2026
    affected < 0fixed 0

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien

  • CVE-2026-39828MedMay 22, 2026
    affected < 0fixed 0

    When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par

  • CVE-2026-39827MedMay 22, 2026
    affected < 0fixed 0

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.36.2-r2fixed 1.36.2-r2

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-35579CriMay 5, 2026
    affected < 1.36.2-r6fixed 1.36.2-r6

    CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigV

  • CVE-2026-33489HigMay 5, 2026
    affected < 1.36.2-r6fixed 1.36.2-r6

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string

  • CVE-2026-33190HigMay 5, 2026
    affected < 1.36.2-r6fixed 1.36.2-r6

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3

  • CVE-2026-32936HigMay 5, 2026
    affected < 1.36.2-r6fixed 1.36.2-r6

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path,

  • CVE-2026-32934HigMay 5, 2026
    affected < 1.36.2-r6fixed 1.36.2-r6

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDN

Page 2 of 2