Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
Published: 2026-05-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when CoreDNS’s DNS-over-QUIC service opens an unbounded number of goroutines and drains memory by accepting many QUIC streams carrying minimal data. An unauthenticated remote client can trigger this behavior, causing the server to spawn a goroutine per stream even when its worker pool is exhausted and to block workers on a read that never completes. The result is memory exhaustion that can lead to an out‑of‑memory kill, denying service to legitimate clients. The weakness is a classic resource exhaustion flaw, classified as CWE‑770.

Affected Systems

CoreDNS versions prior to 1.14.3 are affected. Any deployment of the CoreDNS server that enables DNS‑over‑QUIC and runs a version earlier than 1.14.3 is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the DoQ interface is accessible over the public network, an attacker can exploit the flaw from any remote host. No authentication or special privileges are required, so the risk to availability is significant.

Generated by OpenCVE AI on May 5, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreDNS to version 1.14.3 or later
  • Disable DNS‑over‑QUIC if it is not required in the configuration
  • Configure system resource limits and monitor goroutine counts to detect abnormal growth

Generated by OpenCVE AI on May 5, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2wpx-qpw2-g5h5 CoreDNS' DoQ worker pool does not bound stream backlog
History

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
Title CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:06:17.080Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32934

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:35.853

Modified: 2026-05-05T20:16:35.853

Link: CVE-2026-32934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses