CVE-2026-32934
Analyzed Analyzed - Analysis Complete
CoreDNS DoQ Memory Exhaustion via Unbounded Goroutines

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32934
EUVD
EUVD-2026-27440
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coredns.io coredns to 1.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CoreDNS' DNS-over-QUIC (DoQ) server has a vulnerability where it fails to properly limit the number of active streams, allowing a remote attacker to cause excessive goroutine and memory growth.

By opening many QUIC streams and sending only 1 byte before stalling, an attacker can block all worker threads and create an unbounded backlog of waiting goroutines.

This happens because the DoQ server spawns a new goroutine for each accepted stream even when the worker pool is full, and these goroutines can block indefinitely in read operations without per-stream deadlines.

The issue enables unauthenticated remote denial-of-service through memory exhaustion, potentially leading to out-of-memory kills or service crashes.

Impact Analysis

This vulnerability can cause CoreDNS servers to experience unbounded memory growth and excessive goroutine spawning, which can exhaust system resources.

As a result, the server may be terminated by the operating system due to out-of-memory conditions (OOM-kill) or crash, leading to denial of service.

Since the attack is unauthenticated and remote, any attacker can exploit this to disrupt DNS services relying on vulnerable CoreDNS versions.

Detection Guidance

This vulnerability involves a remote attacker opening many QUIC streams and sending only 1 byte per stream to cause excessive goroutine and memory growth in CoreDNS versions prior to 1.14.3.

Detection can focus on monitoring unusual spikes in the number of QUIC streams or excessive memory and goroutine usage by the CoreDNS process.

Suggested commands to detect potential exploitation include:

  • Use system monitoring tools like 'top' or 'htop' to observe CoreDNS memory and CPU usage.
  • Use 'netstat -anp | grep :<DoQ-port>' or 'ss -anp | grep :<DoQ-port>' to monitor active QUIC connections on the DNS-over-QUIC port.
  • Use 'lsof -p <coredns_pid>' to check open QUIC streams.
  • Check CoreDNS logs for unusually high numbers of QUIC streams or errors related to resource exhaustion.
Mitigation Strategies

The primary mitigation step is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed.

No known workarounds exist to fully mitigate this issue without upgrading.

Additionally, consider monitoring and limiting the number of QUIC streams or connections at the network level to reduce exposure until the upgrade can be applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart