CVE-2026-32934
CoreDNS DoQ Memory Exhaustion via Unbounded Goroutines
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | to 1.14.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CoreDNS' DNS-over-QUIC (DoQ) server has a vulnerability where it fails to properly limit the number of active streams, allowing a remote attacker to cause excessive goroutine and memory growth.
By opening many QUIC streams and sending only 1 byte before stalling, an attacker can block all worker threads and create an unbounded backlog of waiting goroutines.
This happens because the DoQ server spawns a new goroutine for each accepted stream even when the worker pool is full, and these goroutines can block indefinitely in read operations without per-stream deadlines.
The issue enables unauthenticated remote denial-of-service through memory exhaustion, potentially leading to out-of-memory kills or service crashes.
How can this vulnerability impact me? :
This vulnerability can cause CoreDNS servers to experience unbounded memory growth and excessive goroutine spawning, which can exhaust system resources.
As a result, the server may be terminated by the operating system due to out-of-memory conditions (OOM-kill) or crash, leading to denial of service.
Since the attack is unauthenticated and remote, any attacker can exploit this to disrupt DNS services relying on vulnerable CoreDNS versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a remote attacker opening many QUIC streams and sending only 1 byte per stream to cause excessive goroutine and memory growth in CoreDNS versions prior to 1.14.3.
Detection can focus on monitoring unusual spikes in the number of QUIC streams or excessive memory and goroutine usage by the CoreDNS process.
Suggested commands to detect potential exploitation include:
- Use system monitoring tools like 'top' or 'htop' to observe CoreDNS memory and CPU usage.
- Use 'netstat -anp | grep :<DoQ-port>' or 'ss -anp | grep :<DoQ-port>' to monitor active QUIC connections on the DNS-over-QUIC port.
- Use 'lsof -p <coredns_pid>' to check open QUIC streams.
- Check CoreDNS logs for unusually high numbers of QUIC streams or errors related to resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed.
No known workarounds exist to fully mitigate this issue without upgrading.
Additionally, consider monitoring and limiting the number of QUIC streams or connections at the network level to reduce exposure until the upgrade can be applied.