CVE-2026-32936
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/coredns/corednsGo | < 1.14.3 | 1.14.3 |
Affected products
23- osv-coords21 versionspkg:apk/chainguard/eks-distro-coredns-1.31pkg:apk/chainguard/eks-distro-coredns-1.32pkg:apk/chainguard/eks-distro-coredns-1.33pkg:apk/chainguard/eks-distro-coredns-1.34pkg:apk/chainguard/eks-distro-coredns-1.35pkg:apk/chainguard/eks-distro-coredns-1.36pkg:apk/chainguard/eks-distro-coredns-fips-1.31pkg:apk/chainguard/eks-distro-coredns-fips-1.32pkg:apk/chainguard/eks-distro-coredns-fips-1.33pkg:apk/chainguard/eks-distro-coredns-fips-1.34pkg:apk/chainguard/eks-distro-coredns-fips-1.35pkg:apk/chainguard/eks-distro-coredns-fips-1.36pkg:apk/chainguard/juicefs-1.3pkg:apk/chainguard/k8s_gatewaypkg:apk/chainguard/k8s_gateway-fipspkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/kubernetes-dns-node-cache-fipspkg:apk/wolfi/juicefs-1.3pkg:apk/wolfi/k8s_gatewaypkg:apk/wolfi/kubernetes-dns-node-cachepkg:golang/github.com/coredns/coredns
< 1.31.43-r2+ 20 more
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.36-r2
- (no CPE)range: < 1.33.26-r2
- (no CPE)range: < 1.34.17-r2
- (no CPE)range: < 1.35.8-r2
- (no CPE)range: < 1.36.2-r6
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.36-r2
- (no CPE)range: < 1.33.26-r2
- (no CPE)range: < 1.34.17-r2
- (no CPE)range: < 1.35.8-r2
- (no CPE)range: < 1.36.2-r5
- (no CPE)range: < 1.3.1-r14
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.26.8-r3
- (no CPE)range: < 1.26.8-r2
- (no CPE)range: < 1.3.1-r14
- (no CPE)range: < 1.8.0-r1
- (no CPE)range: < 1.26.8-r3
- (no CPE)range: < 1.14.3
Patches
Vulnerability mechanics
References
4- github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwrnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-63cw-r7xf-jmwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32936ghsaADVISORY
- github.com/coredns/coredns/releases/tag/v1.14.3nvdRelease NotesWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026