CVE-2026-32936
DoS via Oversized DoH GET Requests in CoreDNS
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | to 1.14.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects CoreDNS versions prior to 1.14.3 in the DNS-over-HTTPS (DoH) GET request handling. The GET path accepts oversized "dns=" query parameter values without proper size validation before processing. As a result, the server performs expensive operations like URL query parsing, base64 decoding, and DNS message unpacking on these large inputs before rejecting them.
Unlike the POST path, which limits request size to 65536 bytes, the GET path lacks such bounds, allowing an attacker to send very large requests. This leads to high CPU usage, large transient memory allocations, and increased garbage collection pressure.
A remote, unauthenticated attacker can exploit this by repeatedly sending oversized DoH GET requests, causing denial of service due to resource exhaustion. The issue was fixed in CoreDNS version 1.14.3.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition on affected CoreDNS servers. An attacker can remotely and without authentication send specially crafted oversized DoH GET requests that cause the server to consume excessive CPU and memory resources.
The resulting high CPU usage, large memory allocations, and increased garbage collection pressure can degrade server performance or cause it to become unresponsive, impacting availability of DNS services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage, large transient memory allocations, and elevated garbage-collection pressure on CoreDNS servers handling DNS-over-HTTPS (DoH) GET requests.
Specifically, detection involves identifying oversized DoH GET requests with large "dns=" query parameters that cause extensive processing before rejection.
Network monitoring tools or packet capture utilities can be used to filter and inspect HTTP GET requests to the DoH endpoint for abnormally large "dns=" query parameters.
- Use tcpdump or Wireshark to capture and filter HTTP GET requests to the DoH endpoint, for example: tcpdump -i <interface> -A 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /dns-query?dns='
- Use monitoring commands like top, htop, or ps to observe high CPU and memory usage by the CoreDNS process.
- Check CoreDNS logs for repeated 400 Bad Request responses triggered by oversized DoH GET requests.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed by adding size validation on the DoH GET path.
Until the upgrade can be applied, consider implementing network-level protections such as rate limiting or filtering oversized DoH GET requests to reduce the impact of potential attacks.
Additionally, monitor system resource usage closely to detect and respond to abnormal spikes caused by exploitation attempts.