CVE-2026-32934

Description

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.

PUBLISHED Reserved 2026-03-17 | Published 2026-05-05 | Updated 2026-05-06 | Assigner GitHub_M

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

References

github.com/...oredns/security/advisories/GHSA-2wpx-qpw2-g5h5 exploit

github.com/...oredns/security/advisories/GHSA-2wpx-qpw2-g5h5

github.com/coredns/coredns/releases/tag/v1.14.3

cve.org (CVE-2026-32934)

nvd.nist.gov (CVE-2026-32934)

Download JSON