Nixpkgs security tracker

Accepted

Permalink CVE-2026-32936

updated a minute ago by @LeSuisse Activity log

Created suggestion 3 hours ago
@LeSuisse ignored reference https://g… a minute ago
@LeSuisse accepted a minute ago

CoreDNS DoH GET path missing size validation causes CPU and memory amplification

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.

References

https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr x_refsource_CONFIRMexploit

Ignored references (1)

https://github.com/coredns/coredns/releases/tag/v1.14.3 x_refsource_MISC

Affected products

coredns

==< 1.14.3

Matching in nixpkgs

pkgs.coredns

DNS server that runs middleware

nixos-unstable 1.14.2
- nixpkgs-unstable 1.14.2
- nixos-unstable-small 1.14.2
nixos-25.11 1.13.2
- nixos-25.11-small 1.13.2
- nixpkgs-25.11-darwin 1.13.2

Package maintainers

@rushmorem Rushmore Mushambi <rushmore@webenchanter.com>
@djds djds <git@djds.dev>
@DeltaEvo Duarte David <deltaduartedavid@gmail.com>
@johanot Johan Thomsen <write@ownrisk.dk>
@rtreffer Rene Treffer <treffer+nixos@measite.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.coredns

Package maintainers