CVE-2026-32934 Overview
CoreDNS is a pluggable DNS server widely deployed as the default DNS service in Kubernetes clusters. CVE-2026-32934 affects the DNS-over-QUIC (DoQ) server in CoreDNS versions prior to 1.14.3. A remote, unauthenticated attacker can trigger unbounded goroutine and memory growth by opening many QUIC streams and sending only a single byte per stream. The flaw enables memory exhaustion and OOM-kill of the CoreDNS process, disrupting DNS resolution across all dependent services. The issue is tracked as [CWE-770: Allocation of Resources Without Limits or Throttling].
Critical Impact
An unauthenticated remote attacker can exhaust CoreDNS memory and trigger an OOM-kill, disrupting DNS resolution across affected infrastructure.
Affected Products
- CoreDNS versions prior to 1.14.3
- Deployments exposing the DNS-over-QUIC (DoQ) server plugin
- Kubernetes clusters and cloud-native environments running vulnerable CoreDNS builds
Discovery Timeline
- 2026-05-05 - CVE-2026-32934 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-32934
Vulnerability Analysis
The vulnerability resides in the DoQ server's stream-handling logic. CoreDNS uses a worker pool to process incoming QUIC streams, but the implementation does not bound concurrent stream acceptance. When the worker pool is saturated, the server still spawns a new goroutine per accepted stream to wait for an available worker token. Attackers can open arbitrarily many streams, each consuming goroutine stack memory and runtime metadata. The memory footprint grows linearly with attacker-controlled stream count until the process is killed by the operating system.
Root Cause
Two defects combine to enable the attack. First, goroutine creation is unbounded relative to the worker pool capacity, violating backpressure principles. Second, active workers call io.ReadFull() to read the two-byte DoQ length prefix without applying a per-stream read deadline. An attacker who sends only the first byte causes the worker to block indefinitely waiting for the second byte. This pins every worker, ensuring the queued goroutines accumulate without drain. The combination is a classic resource exhaustion pattern [CWE-770].
Attack Vector
Exploitation requires only network reachability to the DoQ listener. The attacker establishes a QUIC connection and opens many streams, writing exactly one byte to each before pausing. No authentication, user interaction, or valid DNS query is required. Because the read on each stream blocks indefinitely and new streams continue spawning goroutines, the CoreDNS process grows in memory until the host's OOM killer terminates it. Refer to the GitHub Security Advisory GHSA-2wpx-qpw2-g5h5 for additional technical context.
Detection Methods for CVE-2026-32934
Indicators of Compromise
- Sudden, sustained growth in CoreDNS process resident memory (RSS) without a corresponding rise in legitimate query volume
- Goroutine counts in CoreDNS Prometheus metrics climbing into the tens or hundreds of thousands
- Repeated OOM-kill events for CoreDNS pods or processes in system logs
- Large numbers of half-open QUIC streams from a single source IP or small set of IPs
Detection Strategies
- Monitor the go_goroutines and process_resident_memory_bytes Prometheus metrics exposed by CoreDNS for anomalous baselines
- Inspect QUIC connection telemetry on UDP port 853 for clients opening many streams with minimal payload bytes
- Correlate kernel oom-killer events targeting CoreDNS with concurrent traffic spikes on DoQ listeners
Monitoring Recommendations
- Alert on CoreDNS pod restarts caused by exit code 137 (SIGKILL from OOM)
- Track per-source-IP QUIC stream counts and flag clients exceeding normal request patterns
- Forward CoreDNS logs and runtime metrics to a centralized analytics platform for longitudinal analysis
How to Mitigate CVE-2026-32934
Immediate Actions Required
- Upgrade CoreDNS to version 1.14.3 or later, which contains the official fix
- Audit Kubernetes and service mesh deployments to identify any CoreDNS instances exposing DoQ
- Restrict DoQ listener exposure to trusted network ranges using firewall or network policy rules
- Set memory limits on CoreDNS pods so OOM-kill events are contained and observable
Patch Information
The maintainers fixed the issue in CoreDNS Release v1.14.3. The patch enforces per-stream read deadlines and bounds goroutine creation against worker pool capacity. Operators should pull the updated container image or binary and roll out across all CoreDNS replicas. Verify the running version with coredns -version after deployment.
Workarounds
- No official workarounds exist according to the vendor advisory
- Disabling the DoQ plugin in the Corefile removes exposure if DNS-over-QUIC is not required
- Place CoreDNS behind a QUIC-aware proxy that enforces stream-count and idle-timeout limits as a temporary compensating control
# Disable the DoQ listener in Corefile until patched
# Remove or comment the quic:// server block:
# quic://. {
# forward . 1.1.1.1
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
