CVE-2026-32934

HIGH

CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service

Title source: cna

Description

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5

X_Refsource_Misc x_refsource_misc

https://github.com/coredns/coredns/releases/tag/v1.14.3

Scores

CVSS v3 7.5

EPSS 0.0047

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

coredns/coredns 0 - 1.14.3Go

coredns/coredns < 1.14.3

coredns.io/coredns < 1.14.3

Published May 05, 2026

Tracked Since May 06, 2026