CVE-2026-32936
CoreDNS DoH GET path missing size validation causes CPU and memory amplification
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
| CWE | CWE-400 |
| Vendor | coredns |
| Product | coredns |
| Published | May 5, 2026 |
| Last Updated | May 5, 2026 |
Get instant alerts for coredns coredns
Be the first to know when new unknown vulnerabilities affecting coredns coredns are published โ delivered to Slack, Telegram or Discord.