CVE-2026-32936
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwrnvdExploitMitigationVendor Advisory
- github.com/advisories/GHSA-63cw-r7xf-jmwrghsaADVISORY
- github.com/coredns/coredns/releases/tag/v1.14.3nvdRelease Notes
- nvd.nist.gov/vuln/detail/CVE-2026-32936ghsa
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026