CVE-2026-32934— CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32934
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service
Source: NVD (National Vulnerability Database)
Vulnerability Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
CoreDNS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CoreDNS是CoreDNS社区的一个 DNS 服务器。 CoreDNS 1.14.3之前版本存在安全漏洞,该漏洞源于DNS-over-QUIC服务器中远程客户端打开大量QUIC流并仅发送1字节,可能导致无限制的goroutine和内存增长。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-32934
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32934
请登录查看更多情报信息。
- Release v1.14.3 · coredns/coredns · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-32934
Same Patch Batch · coredns · 2026-05-05 · 5 CVEs total
| CVE-2026-32936 | CoreDNS DoH GET path missing size validation causes CPU and memory amplification | |
| CVE-2026-33489 | CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison | |
| CVE-2026-33190 | CoreDNS TSIG authentication bypass on encrypted DNS transports | |
| CVE-2026-35579 | CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports |
IV. Related Vulnerabilities
Same product: coredns
- CVE-2026-35579
CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and D - CVE-2026-33489
CoreDNS transfer plugin subzone ACL bypass via lexicographic - CVE-2026-32936
CoreDNS DoH GET path missing size validation causes CPU and - CVE-2026-33190
CoreDNS TSIG authentication bypass on encrypted DNS transpor - CVE-2026-26017
CoreDNS ACL Bypass
Same vendor: coredns
- CVE-2026-35579
CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and D - CVE-2026-33489
CoreDNS transfer plugin subzone ACL bypass via lexicographic - CVE-2026-32936
CoreDNS DoH GET path missing size validation causes CPU and - CVE-2026-33190
CoreDNS TSIG authentication bypass on encrypted DNS transpor - CVE-2026-26017
CoreDNS ACL Bypass
Same weakness: CWE-770
- CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42189
Russh: Pre-auth DoS via unbounded allocation in keyboard-int - CVE-2026-42793
Atom table exhaustion via attacker-controlled GraphQL SDL na - CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali
V. Comments for CVE-2026-32934
No comments yet