CVE-2026-32936

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3

Description CoreDNS is a DNS server that chains plugins. A denial-of-service issue exists in the DNS-over-HTTPS (DoH) GET path because it lacks early size validation for requests. A remote, unauthenticated attacker can send oversized requests to the '/dns-query' endpoint using the dns query parameter. The server performs expensive operations—including URL query parsing, base64 decoding via the base64ToMsg() function, and DNS message unpacking—before rejecting the request with a 400 Bad Request error.

This process forces high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, which can lead to degraded throughput and responsiveness or a complete denial of service, particularly on memory-constrained deployments.

Recommendations Update to version 1.14.3. As a temporary workaround, restrict access to the '/dns-query' endpoint or implement a web application firewall (WAF) to limit the size of GET request targets and the dns parameter.