CVE-2026-39821 affecting package coredns for versions less than 1.11.4-17

CVE-2026-39821 affecting package coredns for versions less than 1.11.4-17. A patched version of the package is available...

CVE-2026-32934

A flaw was found in CoreDNS, a DNS server that chains plugins. The DNS-over-QUIC DoQ server is vulnerable to unbounded resource growth. An unauthenticated remote attacker can exploit this by opening numerous QUIC streams and sending only one byte per stream, causing the server to spawn excessive...

CVE-2026-32936

A flaw was found in CoreDNS, a DNS server that chains plugins. A remote, unauthenticated attacker can exploit this vulnerability by repeatedly sending oversized DNS-over-HTTPS DoH GET requests. The GET path, unlike the POST path, lacks size validation before processing large dns= query parameter...

CVE-2026-33489

A flaw was found in CoreDNS. An unauthorized remote client can exploit a vulnerability in the transfer plugin's Access Control List ACL stanza selection. This occurs when both a parent zone and a more-specific subzone are configured, and the longestMatch function incorrectly uses a lexicographic...

GO-2026-4969 CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns

CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns...

PT-2026-42372

CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns...

CVE-2026-35579 affecting package coredns for versions less than 1.11.4-16

CVE-2026-35579 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...

CVE-2026-33489 affecting package coredns for versions less than 1.11.4-16

CVE-2026-33489 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...

CVE-2026-32936 affecting package coredns for versions less than 1.11.4-16

CVE-2026-32936 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...

CVE-2026-32934 affecting package coredns for versions less than 1.11.4-16

CVE-2026-32934 affecting package coredns for versions less than 1.11.4-16. A patched version of the package is available...

CVE-2026-35579

A flaw was found in CoreDNS. An unauthenticated network attacker can exploit incorrect handling of TSIG Transaction Signature authentication in the gRPC, QUIC, DoH DNS over HTTPS, and DoH3 transport implementations. This vulnerability allows an attacker to bypass TSIG protection, leading to...

openSUSE 16 Security Update : coredns (openSUSE-SU-2026:20703-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20703-1 advisory. Changes in coredns: - Update to version 1.14.3: This release introduces Windows service support, along with full TSIG verification across DoH,...

CoreDNS DoH GET path missing size validation causes CPU and memory amplification

...

CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison

...

CoreDNS TSIG authentication bypass on encrypted DNS transports

...

SUSE CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

SUSE CVE-2026-35579

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify to validate...

OPENSUSE-SU-2026:20703-1 Security update for coredns

This update for coredns fixes the following issues: Changes in coredns: - Update to version 1.14.3: This release introduces Windows service support, along with full TSIG verification across DoH, DoH3, QUIC, and gRPC transports, and improved TSIG propagation and DoH request validation. It also add...

CVE-2026-35579

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify to validate...

CVE-2026-32936

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS DoH GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a...