HIGH SeverityCVSS 4.08.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-32936

Last updated May 05, 2026 · Published May 05, 2026

Description

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.

Affected products

1 listed

coredns:coredns

Mappings

CWE

CWE-400

CAPEC

None listed.

Guides

Rate Limiting in Node.jsPatterns for APIs, login endpoints, and abuse control.

Training

API Design That Defends ItselfREST, GraphQL, and gRPC patterns that reduce your attack surface by design.

CVE-2026-32936

Description

Affected products

Mappings

Related