[AutoPR- Security] Patch coredns for CVE-2026-26018, CVE-2026-26017 [HIGH]

[azurelinux-security]

Auto Patch coredns for CVE-2026-26018, CVE-2026-26017.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1065637&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch coredns for CVE-2026-26018 (HIGH), CVE-2026-26017 (HIGH).

Change Log

• CVE-2026-26018
• CVE-2026-26017

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-26018
• https://nvd.nist.gov/vuln/detail/CVE-2026-26017

Test Methodology

• Pipeline build id: Buddy Build URL

[akhila-guruju]

Reason for Build failure:
The build fails in %build when make tries to regenerate core/plugin/zplugin.go.
This regeneration is being triggered because CVE-2026-26017.patch changes plugin.cfg, making it newer than core/plugin/zplugin.go and core/dnsserver/zdirectives.go. The Makefile target for those z* files runs go generate, which in turn runs go get and fails in a network-disabled build.
This is the similar class of issue mentioned inside CVE-2025-47950.patch. PR: #14697
Fix done:
The fix is to touch the generated file so it’s newer than plugin.cfg
The change has been made in z*.go files only to keep generated outputs in sync with plugin.cfg and prevent a networked regenerate step.

[Kanishk-Bansal]

Buddy Build

[akhila-guruju]

Buddy Build has passed.

[Kanishk-Bansal]

CVE Patch Review: PR #16146 — Patch coredns for CVE-2026-26018, CVE-2026-26017

PR: #16146
Author: azurelinux-security (AutoPR-Security)
Target Branch: fasttrack/3.0
Package: coredns 1.11.4
Build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1066415&view=results

---

CVE Summary

CVE	Severity	CVSS	Type	Description
CVE-2026-26018	HIGH	7.5 (CNA)	CWE-337: Predictable PRNG	Loop detection plugin uses predictable PRNG for secret query name, enabling DoS via crafted DNS queries
CVE-2026-26017	HIGH	7.7 (CNA) / 6.3 (NVD)	CWE-367: TOCTOU	Plugin execution ordering allows ACL bypass — acl runs before rewrite, creating a TOCTOU flaw

Both CVEs are fixed upstream in CoreDNS v1.14.2. The Azure Linux package is at v1.11.4, so backported patches are required.

---

Spec File

• Patch entry: Patch10: CVE-2026-26017.patch, Patch11: CVE-2026-26018.patch — sequential numbering correct (follows Patch9)
• Patch application: Uses %autosetup -p1 — patches applied automatically
• Release bumped: 13 → 14 — correct increment
• Changelog updated: New entry at top, dated Mon Mar 09 2026, references both CVEs
• Changelog date: Day-of-week matches (March 9, 2026 is a Monday) — correct

---

Patch Verification

CVE-2026-26018 — plugin/loop/setup.go (crypto/rand)

• Upstream reference: coredns/coredns@7ae1c40
• Comparison result: Upstream patch has been backported manually.
  • Hunk offset: PR patch at line 77 vs upstream at line 83 (6-line offset) — expected for v1.11.4 backport
  • Core fix logic: Identical — replaces plugin/pkg/rand (predictable PRNG seeded with time.Now().UnixNano()) with crypto/rand for secure random query name generation
  • New function secureRandIntString(): Identical to upstream — generates 62-bit random integers with crypto/rand.Int(), falls back to time.Now().UnixNano() if rand.Reader unavailable
  • Import changes: Identical — adds crypto/rand, math/big; removes plugin/pkg/rand
  • All security-critical changes preserved — no logic differences

CVE-2026-26017 — plugin reorder (acl after rewrite)

• Upstream reference: plugin: reorder rewrite before acl to prevent bypass coredns/coredns#7882
• Comparison result: Upstream patch has been backported manually with additional generated files.
  • plugin.cfg change: Identical to upstream — moves acl:acl from before any to after rewrite, ensuring rewrite runs before ACL checks
  • Additional files: PR also patches core/dnsserver/zdirectives.go and core/plugin/zplugin.go — these are auto-generated from plugin.cfg and must be updated manually since the RPM build doesn't regenerate them
  • Minor cosmetic: Comment in zplugin.go changed from "// Include all plugins." to "// Include all the plugins." — not in upstream, but harmless
  • All security-critical changes preserved — ACL ordering fix is correct

Patch Comparison Checklist

• Both patches downloaded and compared with upstream
• Core security fix logic matches upstream
• Differences documented and justified (line offsets from backport, additional auto-generated files)
• No hallucinated or incorrect modifications found

---

Build Status

Build Run: 1066415

Architecture	Build	Tests	Result
x86_64 (amd64)	PASSED	746/746 tests passed (82 packages)	SUCCESS
aarch64 (arm64)	PASSED	746/746 tests passed (81 packages)	SUCCESS

Build Log Details (amd64)

• All 12 patches applied cleanly with --fuzz=0 (strict matching)
• Go version: 1.24.13, CGO_ENABLED=0
• No compilation errors or warnings
• No changelog warnings (dates valid, chronological order correct)
• RPM produced: coredns-1.11.4-14.azl3.x86_64.rpm
• Only cosmetic warning: hostname canonicalization in build container (expected)

Build Log Details (arm64)

• All 12 patches applied cleanly with --fuzz=0
• Go version: 1.24.13, CGO_ENABLED=0
• No compilation errors or warnings
• No changelog warnings
• RPM produced: coredns-1.11.4-14.azl3.aarch64.rpm
• Race detector enabled during tests — no data races detected

---

PR Description

• CVE summary provided
• Change log lists both CVEs
• NVD links provided for both CVEs
• Buddy build URL provided
• Autosec pipeline run linked
• Merge checklist completed

---

Findings and Observations

1. Minor cosmetic diff in CVE-2026-26017.patch: The comment change in zplugin.go ("Include all plugins" → "Include all the plugins") is not present in the upstream patch. This is a non-functional change and does not affect security or correctness, but ideally patches should match upstream exactly to minimize review burden.

2. No signature file updates: The PR does not include changes to *.signatures.json. This is typically auto-generated during the build process and may not require manual updates for patch files.

3. Branch targeting is correct: Both CVEs are HIGH severity, and the PR targets fasttrack/3.0 which is appropriate for high-severity security fixes.

---

Verdict

LGTM — Both patches correctly backport the upstream security fixes. Build passed on both architectures with all 746 tests passing. Patches apply cleanly with zero fuzz.

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).