CVE-2026-32934
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/coredns/corednsGo | < 1.14.3 | 1.14.3 |
Affected products
22- osv-coords20 versionspkg:apk/chainguard/eks-distro-coredns-1.31pkg:apk/chainguard/eks-distro-coredns-1.32pkg:apk/chainguard/eks-distro-coredns-1.33pkg:apk/chainguard/eks-distro-coredns-1.34pkg:apk/chainguard/eks-distro-coredns-1.35pkg:apk/chainguard/eks-distro-coredns-1.36pkg:apk/chainguard/eks-distro-coredns-fips-1.31pkg:apk/chainguard/eks-distro-coredns-fips-1.32pkg:apk/chainguard/eks-distro-coredns-fips-1.33pkg:apk/chainguard/eks-distro-coredns-fips-1.34pkg:apk/chainguard/eks-distro-coredns-fips-1.35pkg:apk/chainguard/juicefs-1.3pkg:apk/chainguard/k8s_gatewaypkg:apk/chainguard/k8s_gateway-fipspkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/kubernetes-dns-node-cache-fipspkg:apk/wolfi/juicefs-1.3pkg:apk/wolfi/k8s_gatewaypkg:apk/wolfi/kubernetes-dns-node-cachepkg:golang/github.com/coredns/coredns
< 1.31.43-r2+ 19 more
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.36-r2
- (no CPE)range: < 1.33.26-r2
- (no CPE)range: < 1.34.17-r2
- (no CPE)range: < 1.35.8-r2
- (no CPE)range: < 1.36.2-r6
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.36-r2
- (no CPE)range: < 1.33.26-r2
- (no CPE)range: < 1.34.17-r2
- (no CPE)range: < 1.35.8-r2
- (no CPE)range: < 1.3.1-r14
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.26.8-r3
- (no CPE)range: < 1.26.8-r2
- (no CPE)range: < 1.3.1-r14
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.26.8-r3
- (no CPE)range: < 1.14.3
Patches
Vulnerability mechanics
References
5- github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-2wpx-qpw2-g5h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32934ghsaADVISORY
- github.com/coredns/coredns/releases/tag/v1.14.3nvdRelease NotesWEB
- github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gwghsaWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026