CVE-2026-35579

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3

Description CoreDNS transport implementations for gRPC, QUIC, DoH, and DoH3 incorrectly handle TSIG (Transaction Signature) authentication, which is a mechanism used to authenticate DNS messages.

In gRPC and QUIC transports, the server verifies if the TSIG key name exists in the configuration but fails to call the dns.TsigVerify() function to validate the HMAC (Hash-based Message Authentication Code). Consequently, any request with a valid key name is treated as authenticated, regardless of the MAC value.

In DoH and DoH3 transports, the issue is more critical as the DoHWriter.TsigStatus() method unconditionally returns nil, and the server does not inspect the TSIG record. This allows any request containing a TSIG record to be treated as authenticated, even with an invalid key name and arbitrary MAC.

An unauthenticated network attacker can exploit these flaws to bypass TSIG-protected functionality, such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behaviors. The exploitation bar is lower for DoH and DoH3 since a valid key name is not required.

Recommendations Update to version 1.14.3. As a temporary workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required. Restrict network-level access to affected transport ports to trusted sources only.