7 matches found
GHSA-HF2G-6J7H-98WG klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS
Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...
CVE-2026-32934
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...
CVE-2026-32934
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...
CVE-2026-32934
CoreDNS prior to version 1.14.3 is vulnerable: the DNS-over-QUIC (DoQ) server can spawn unbounded goroutines/memory growth when a remote client opens many QUIC streams and sends 1 byte per stream. With a full worker pool, CoreDNS still creates a goroutine per stream to wait for a worker token, an...
CVE-2026-32934
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...
PT-2026-37094
Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3 Description The DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by an unauthenticated remote attacker. This occurs when a client opens numerous QUIC streams and sends only one...
CVE-2025-47950
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service DoS vulnerability exists in the CoreDNS DNS-over-QUIC DoQ server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of...