Description

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.

INFO

Published Date :

2026-05-05T19:06:17.080Z

Last Modified :

2026-05-06T15:14:54.790Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32934 vulnerability.

Vendors Products
Coredns.io
  • Coredns
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32934.

URL Resource
https://github.com/coredns/coredns/releases/tag/v1.14.3 cve-icon cve-icon
https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact