VYPR

apk package

chainguard/eks-distro-coredns-fips-1.36

pkg:apk/chainguard/eks-distro-coredns-fips-1.36

Vulnerabilities (25)

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.36.2-r2fixed 1.36.2-r2

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-35579CriMay 5, 2026
    affected < 1.36.2-r5fixed 1.36.2-r5

    CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigV

  • CVE-2026-33190HigMay 5, 2026
    affected < 1.36.2-r5fixed 1.36.2-r5

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3

  • CVE-2026-32936HigMay 5, 2026
    affected < 1.36.2-r5fixed 1.36.2-r5

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path,

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.36.2-r1fixed 1.36.2-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

Page 2 of 2