Lucene search
K

7 matches found

OSV
OSV
added 2026/06/05 4:41 p.m.4 views

GHSA-HF2G-6J7H-98WG klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

7.5CVSS5.4AI score0.0005EPSS
Exploits0References3
NVD
NVD
added 2026/05/05 8:16 p.m.7 views

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

8.7CVSS0.00469EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/05 7:6 p.m.4 views

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

8.7CVSS5.7AI score0.00469EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/05/05 7:6 p.m.29 views

CVE-2026-32934

CoreDNS prior to version 1.14.3 is vulnerable: the DNS-over-QUIC (DoQ) server can spawn unbounded goroutines/memory growth when a remote client opens many QUIC streams and sends 1 byte per stream. With a full worker pool, CoreDNS still creates a goroutine per stream to wait for a worker token, an...

8.7CVSS5.7AI score0.00469EPSS
Exploits1References2Affected Software1
AlpineLinux
AlpineLinux
added 2026/05/05 7:6 p.m.10 views

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

8.7CVSS5.7AI score0.00469EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.8 views

PT-2026-37094

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3 Description The DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by an unauthenticated remote attacker. This occurs when a client opens numerous QUIC streams and sends only one...

8.7CVSS5.8AI score0.00469EPSS
Exploits1References12
AlpineLinux
AlpineLinux
added 2025/06/06 6:15 p.m.3 views

CVE-2025-47950

CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service DoS vulnerability exists in the CoreDNS DNS-over-QUIC DoQ server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of...

7.5CVSS7.3AI score0.01132EPSS
Exploits0References5
Rows per page
Query Builder