Description
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
Published: 2026-02-04
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service to cert‑manager controller
Action: Patch Immediately
AI Analysis

Impact

The cert‑manager controller performs DNS lookups for ACME DNS‑01 challenges using standard unencrypted DNS. An attacker who can intercept and modify DNS responses can inject a specially crafted entry into the controller’s cache. When the controller later accesses the entry, it panics, causing a denial of service that stops all certificate issuance and renewal processes. This can bring down the certificates used by services in the cluster, potentially interrupting TLS‑protected applications.

Affected Systems

The vulnerability affects cert‑manager versions 1.18.0 through 1.18.4 and 1.19.0 through 1.19.2. The affected product is the cert‑manager controller component that runs inside Kubernetes clusters. Any cluster running these versions is at risk if its DNS traffic can be observed or controlled by an attacker, or if the authoritative DNS server for the domain used in the challenge is malicious.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate severity. The EPSS score is less than 1%, meaning the probability of exploitation in the wild is very low, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires network access to the controller pod’s DNS traffic or control of the authoritative DNS server for the target domain; both conditions can exist in many environments. Because the failure results in a controller panic rather than full host compromise, the attack vector is limited to denial of service. Nonetheless, timely patching is warranted to avoid service disruption.

Generated by OpenCVE AI on April 17, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cert‑manager to version 1.18.5, 1.19.3, or newer, which includes the fix for this DoS vulnerability.
  • Restrict outbound DNS traffic from the cert‑manager-controller pod using Kubernetes NetworkPolicies or cluster firewall rules so that only trusted DNS resolvers are reachable.
  • Enable DNS over TLS or use a private DNS service for all cert‑manager DNS queries to prevent tampering with DNS responses.

Generated by OpenCVE AI on April 17, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gx3x-vq4p-mhhv cert-manager-controller DoS via Specially Crafted DNS Response
History

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cert-manager:cert-manager:*:*:*:*:*:*:*:*

Fri, 06 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Cert-manager
Cert-manager cert-manager
Vendors & Products Cert-manager
Cert-manager cert-manager

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
Title cert-manager-controller DoS via Specially Crafted DNS Response
Weaknesses CWE-129
CWE-704
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Cert-manager Cert-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:31:52.478Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25518

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:08.435Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:15:58.990

Modified: 2026-02-27T20:20:22.113

Link: CVE-2026-25518

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T21:18:06Z

Links: CVE-2026-25518 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses