Vulnerability Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coredns.Io | Coredns | < 1.14.3 |
Related Weaknesses (CWE)
References
- https://github.com/coredns/coredns/releases/tag/v1.14.3Release Notes
- https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5ExploitVendor Advisory
- https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5ExploitVendor Advisory
FAQ
What is CVE-2026-32934?
CVE-2026-32934 is a vulnerability with a CVSS score of 7.5 (HIGH). CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUI...
How severe is CVE-2026-32934?
CVE-2026-32934 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32934?
Check the references section above for vendor advisories and patch information. Affected products include: Coredns.Io Coredns.