Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
Published: 2026-05-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in CoreDNS’s DNS‑over‑HTTPS GET path allows any remote unauthenticated client to submit oversized dns= query parameters that are parsed, base64 decoded, and unpacked before the request is rejected. Because the GET path lacks a size limit, these operations consume excessive CPU cycles, allocate large amounts of memory, and trigger frequent garbage collection, which can exhaust server resources. The consequence is a denial‑of‑service for all users of the affected CoreDNS instance. The weakness is a classic unbounded resource consumption problem, classified as CWE‑400.

Affected Systems

CoreDNS, the open‑source DNS server used in many Kubernetes and other cloud deployments, is affected by this vulnerability in any version prior to 1.14.3. The vulnerability was fixed in release 1.14.3, which can be obtained from the CoreDNS GitHub releases page. Systems running earlier releases are at risk unless mitigated.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity for Denial of Service. The EPSS score is not available, but the lack of a known exploit in the CISA KEV catalog does not reduce the risk of passive denial‑of‑service attacks. The vulnerability is exploitable over the public internet from any host without authentication, making it attractive for attackers seeking to disrupt infrastructure. Because the attack only requires sending oversized GET requests, it can be automated and amplified if coordinated across multiple machines.

Generated by OpenCVE AI on May 5, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreDNS to version 1.14.3 or newer.
  • Configure network or application layer firewalls to limit the size of incoming HTTP requests to the DoH endpoint.
  • Implement rate limiting or throttling for DoH GET traffic to reduce the impact of malicious requests.

Generated by OpenCVE AI on May 5, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-63cw-r7xf-jmwr CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification
History

Fri, 08 May 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coredns.io:coredns:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Coredns.io
Coredns.io coredns
Vendors & Products Coredns.io
Coredns.io coredns

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
Title CoreDNS DoH GET path missing size validation causes CPU and memory amplification
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Coredns.io Coredns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:32:25.341Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32936

cve-icon Vulnrichment

Updated: 2026-05-05T19:32:10.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T20:16:36.010

Modified: 2026-05-08T16:02:28.993

Link: CVE-2026-32936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:30:05Z

Weaknesses