VDB

ANCHORE-2026-32936

ANCHORE-2026-32936 PUBLISHED

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.

Affected Products

VendorProductVersions
corednscoredns0

Timeline

  • May 5, 2026 CVE Published
  • May 5, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›