Vulnerability Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coredns.Io | Coredns | < 1.14.3 |
Related Weaknesses (CWE)
References
- https://github.com/coredns/coredns/releases/tag/v1.14.3Release Notes
- https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwrExploitMitigationVendor Advisory
- https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwrExploitMitigationVendor Advisory
FAQ
What is CVE-2026-32936?
CVE-2026-32936 is a vulnerability with a CVSS score of 7.5 (HIGH). CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decodin...
How severe is CVE-2026-32936?
CVE-2026-32936 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32936?
Check the references section above for vendor advisories and patch information. Affected products include: Coredns.Io Coredns.