CVE-2026-32934
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/coredns/corednsGo | < 1.14.3 | 1.14.3 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-2wpx-qpw2-g5h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32934ghsaADVISORY
- github.com/coredns/coredns/releases/tag/v1.14.3nvdRelease NotesWEB
- github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gwghsaWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026