CoreDNS Security Alert: Multiple High-Severity Vulnerabilities Patched in Version 1.14.3

CoreDNS, the flexible and chainable DNS server written in Go, has released a critical security update to address five significant vulnerabilities. These flaws, ranging from Denial-of-Service (DoS) to Authentication Bypass, primarily impact modern encrypted DNS transports like DNS-over-HTTPS (DoH), DNS-over-QUIC (DoQ), and gRPC.

Security administrators are urged to update to version 1.14.3 immediately to protect their infrastructure.

CVE-2026-32936 (CVSS 7.5): Resource Exhaustion via Oversized DoH Queries 

The DNS-over-HTTPS (DoH) implementation was found to be susceptible to a memory and CPU amplification attack.

The server’s GET path failed to validate the size of the dns= query parameter before performing intensive tasks like request parsing, unescaping, and base64 decoding.

An unauthenticated attacker can flood the server with oversized requests, forcing high CPU usage and massive memory allocations. This can lead to degraded responsiveness or a complete service crash, especially on memory-constrained systems.

CVE-2026-35579 & CVE-2026-33190 (CVSS 7.5): The “Silent” TSIG Authentication Bypass

Two related vulnerabilities involve the TSIG (Transaction Signature) plugin, which is used to secure communication between DNS servers.

In several transports—including gRPC, QUIC, and DoH—CoreDNS either failed to verify the TSIG HMAC entirely or incorrectly trusted the transport writer without independent verification.

Attackers can bypass authentication to perform unauthorized actions like AXFR/IXFR zone transfers, allowing them to dump sensitive internal zone data. For the DoH/DoH3 transports, the server would treat any TSIG record as valid, even if the key name was completely unknown to the system.

CVE-2026-32934 (CVSS 7.5): Memory Exhaustion in DNS-over-QUIC (DoQ)

The DNS-over-QUIC server was discovered to have a “backlog” issue where it did not properly bound its worker pool.

A remote client can open numerous QUIC streams and then stall them after sending only a single byte.

CoreDNS spawns a new “goroutine” for every stream. Because there is no per-stream read deadline, these threads stay active indefinitely, leading to an Out-of-Memory (OOM) kill and service outage.

CVE-2026-33489 (CVSS 7.5): Subzone ACL Bypass in Transfer Plugin

A logic error in how the transfer plugin selects Access Control List (ACL) stanzas could lead to unauthorized data exposure.

When both a parent zone and a specific subzone are configured, the plugin uses a lexicographic comparison that can cause a permissive parent rule to override a restrictive subzone rule.

This allows unauthorized clients to bypass specific subzone protections and retrieve full zone contents via AXFR/IXFR.

Remediation and Mitigation

The most effective way to secure your environment is to upgrade CoreDNS to version 1.14.3.

If you cannot upgrade immediately:

• Restrict Access: Use network-level firewalls to limit access to affected transport ports (gRPC, QUIC, DoH) to trusted sources only.
• Disable Sensitive Listeners: If TSIG is required but cannot be verified, consider disabling the gRPC, QUIC, and DoH listeners until the patch is applied.
• Minimize Exposure: Avoid exposing critical functions like zone transfers or dynamic updates over these newer, encrypted transports if they are currently unpatched.