SB2026042541 - Multiple vulnerabilities in CoreDNS

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2026-35579)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authentication in the gRPC and QUIC servers when processing TSIG-signed DNS messages. A remote attacker can send a specially crafted request with a valid TSIG key name and a forged MAC to disclose sensitive information.

The issue affects requests where the TSIG key name exists in the configuration, because the HMAC is not computed or compared before the request is treated as verified.

2) Resource exhaustion (CVE-ID: CVE-2026-32934)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the DoQ server worker pool and stream handling in core/dnsserver/server_quic.go when processing many QUIC streams that stall after sending only 1 byte. A remote attacker can open many QUIC streams and stop before completing the DoQ length prefix to cause a denial of service.

The issue can lead to large goroutine and memory growth, potentially resulting in an OOM kill and service outage.

3) Improper access control (CVE-ID: CVE-2026-33489)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the transfer plugin stanza selection logic when processing AXFR or IXFR requests for a configured subzone. A remote attacker can send a zone transfer request to disclose sensitive information.

Exploitation is possible when both a parent zone and a more-specific subzone are configured and a permissive parent-zone transfer rule overrides a restrictive subzone rule due to lexicographic zone selection.

4) Improper Authentication (CVE-ID: CVE-2026-33190)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authentication in the tsig plugin when handling TSIG-protected requests over DoT, DoH, DoH3, DoQ, or gRPC transports. A remote attacker can send a request with an invalid TSIG to disclose sensitive information.

The issue affects non-plain-DNS transports because TSIG validity is determined from the transport writer status instead of being verified by the plugin itself.

5) Resource exhaustion (CVE-ID: CVE-2026-32936)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the DoH GET request handling path in plugin/pkg/doh/doh.go when processing oversized dns= query parameters in requests to /dns-query. A remote attacker can send repeated oversized DoH GET requests to cause a denial of service.

The requests are rejected only after substantial URL query parsing, unescaping, base64 decoding, and DNS message unpacking work has already occurred.

Remediation

Install update from vendor's website.

References

• https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9
• https://github.com/advisories/GHSA-vp29-5652-4fw9
• https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5
• https://github.com/advisories/GHSA-2wpx-qpw2-g5h5
• https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3
• https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh
• https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr