cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.
cert-manager-controller DoS via Specially Crafted DNS Response
Problem type
Affected products
cert-manager
>= 1.18.0, < 1.18.5 - AFFECTED
>= 1.19.0, < 1.19.3 - AFFECTED
References
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv
https://github.com/cert-manager/cert-manager/pull/8467
https://github.com/cert-manager/cert-manager/pull/8468
https://github.com/cert-manager/cert-manager/pull/8469
https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc
https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d
https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2
GitHub Security Advisories
GHSA-gx3x-vq4p-mhhv
cert-manager-controller DoS via Specially Crafted DNS Response
https://github.com/advisories/GHSA-gx3x-vq4p-mhhvImpact
The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.
An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.
The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.
Patches
The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.
cert-manager versions prior to v1.18.0 are unaffected.
Workarounds
- Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
- Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.
Resources
- Fix for cert-manager 1.18: https://github.com/cert-manager/cert-manager/pull/8467
- Fix for cert-manager 1.19: https://github.com/cert-manager/cert-manager/pull/8468
- Fix for master branch: https://github.com/cert-manager/cert-manager/pull/8469
Credits
Huge thanks to Oleh Konko (@1seal) for reporting the issue, providing a detailed PoC and an initial patch!
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv
https://github.com/cert-manager/cert-manager/pull/8467
https://github.com/cert-manager/cert-manager/pull/8468
https://github.com/cert-manager/cert-manager/pull/8469
https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc
https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d
https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2
https://github.com/advisories/GHSA-gx3x-vq4p-mhhv
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25518Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25518",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-04T21:18:06.681Z",
"dateReserved": "2026-02-02T18:21:42.487Z",
"datePublished": "2026-02-04T21:18:06.681Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-04T21:18:06.681Z"
},
"title": "cert-manager-controller DoS via Specially Crafted DNS Response",
"descriptions": [
{
"lang": "en",
"value": "cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3."
}
],
"affected": [
{
"vendor": "cert-manager",
"product": "cert-manager",
"versions": [
{
"version": ">= 1.18.0, < 1.18.5",
"status": "affected"
},
{
"version": ">= 1.19.0, < 1.19.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-129: Improper Validation of Array Index",
"cweId": "CWE-129",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-704: Incorrect Type Conversion or Cast",
"cweId": "CWE-704",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv",
"name": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/pull/8467",
"name": "https://github.com/cert-manager/cert-manager/pull/8467",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/pull/8468",
"name": "https://github.com/cert-manager/cert-manager/pull/8468",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/pull/8469",
"name": "https://github.com/cert-manager/cert-manager/pull/8469",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc",
"name": "https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d",
"name": "https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2",
"name": "https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}