This update for coredns fixes the following issues:
Update to version 1.14.2:
- CVE-2026-26017: Fixed DNS access control bypass due to default execution
order of plugins and TOCTOU flaw (bsc#1259320).
- CVE-2026-26018: Fixed denial of service in the loop detection plugin due
to predictable PRNG combined with fatal error handler (bsc#1259319).
Update to version 1.14.1:
- This release primarily addresses security vulnerabilities affecting Go
versions prior to Go 1.25.6 and Go 1.24.12 (CVE-2025-61728,
CVE-2025-61726, CVE-2025-68121, CVE-2025-61731, CVE-2025-68119).
- CVE-2025-68156: Fixed uncontrolled recursion in expression evaluation
can cause a denial of service (bsc#1255345).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2026-79=1
- openSUSE Backports SLE-15-SP6 (aarch64 ppc64le x86_64):
coredns-1.14.2-bp156.4.16.1
- openSUSE Backports SLE-15-SP6 (noarch):
coredns-extras-1.14.2-bp156.4.16.1
https://www.suse.com/security/cve/CVE-2025-61726.html
https://www.suse.com/security/cve/CVE-2025-61728.html
https://www.suse.com/security/cve/CVE-2025-61731.html
https://www.suse.com/security/cve/CVE-2025-68119.html
https://www.suse.com/security/cve/CVE-2025-68121.html
https://www.suse.com/security/cve/CVE-2025-68156.html
https://www.suse.com/security/cve/CVE-2026-26017.html
https://www.suse.com/security/cve/CVE-2026-26018.html
https://bugzilla.suse.com/1255345
https://bugzilla.suse.com/1259319
https://bugzilla.suse.com/1259320
Get the latest Linux and open source security news straight to your inbox.