Nixpkgs security tracker

Accepted

Permalink CVE-2026-32934

updated an hour ago by @LeSuisse Activity log

Created suggestion 4 hours ago
@LeSuisse ignored reference https://g… an hour ago
@LeSuisse accepted an hour ago

CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.

References

https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5 x_refsource_CONFIRM

Ignored references (1)

https://github.com/coredns/coredns/releases/tag/v1.14.3 x_refsource_MISC

Affected products

coredns

==< 1.14.3

Matching in nixpkgs

pkgs.coredns

DNS server that runs middleware

nixos-unstable 1.14.2
- nixpkgs-unstable 1.14.2
- nixos-unstable-small 1.14.2
nixos-25.11 1.13.2
- nixos-25.11-small 1.13.2
- nixpkgs-25.11-darwin 1.13.2

Package maintainers

@rushmorem Rushmore Mushambi <rushmore@webenchanter.com>
@djds djds <git@djds.dev>
@DeltaEvo Duarte David <deltaduartedavid@gmail.com>
@johanot Johan Thomsen <write@ownrisk.dk>
@rtreffer Rene Treffer <treffer+nixos@measite.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.coredns

Package maintainers