CVE-2026-32934

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3

Description The DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by an unauthenticated remote attacker. This occurs when a client opens numerous QUIC streams and sends only one byte per stream. Even when the worker pool is full, the server continues to spawn a goroutine for every accepted stream to wait for a worker token. Furthermore, active workers can block indefinitely in the io.ReadFull() function because there is no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte while the system waits for the second byte of the DoQ length prefix. This sequence leads to memory exhaustion and an OOM-kill (Out-Of-Memory kill), resulting in a denial of service.

Recommendations Update to version 1.14.3.