Skip to main content

ISC BIND 9 CVE-2026-3039

| EUVDEUVD-2026-31103 HIGH
Missing Reference to Active Allocated Resource (CWE-771)
2026-05-20 isc GHSA-p65f-mhrm-vhrc
7.5
CVSS 3.1 · Vendor: isc
Share

Severity by source

Vendor (isc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (isc).

CVSS VectorVendor: isc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:31 vuln.today

DescriptionCVE.org

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AnalysisAI

Denial of service in ISC BIND 9 DNS servers configured with TKEY GSS-API authentication allows remote unauthenticated attackers to trigger excessive memory consumption by sending maliciously crafted packets. The flaw primarily impacts Active Directory-integrated DNS and Kerberos-secured DNS deployments, where service exhaustion can disrupt authentication, name resolution, and dependent enterprise services. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 7.5 score and network-reachable, unauthenticated nature warrant timely patching.

Technical ContextAI

BIND 9 is the most widely deployed open-source DNS server software, maintained by ISC. TKEY (Transaction Key, RFC 2930) is a meta-RR mechanism used to negotiate shared secrets between DNS clients and servers, and the GSS-API variant (GSS-TSIG, RFC 3645) is commonly used in Microsoft Active Directory environments to allow secure dynamic DNS updates from domain-joined hosts. The root cause maps to CWE-771 (Missing Reference to Active Allocated Resource), meaning BIND fails to release memory allocated during the parsing or negotiation of malformed TKEY/GSS-API token exchanges. As the named resolver/auth daemon processes successive crafted packets, allocations accumulate until the process exhausts available memory and is killed or becomes unresponsive. The affected component (cpe:2.3:a:isc:bind_9:*) covers both mainline branches and the Supported Preview (-S1) releases distributed to ISC subscribers.

RemediationAI

Vendor-released patches are available: upgrade to BIND 9.18.49, 9.20.23, or 9.21.22 (or the equivalent -S1 Supported Preview build for subscribers), obtainable from https://downloads.isc.org/isc/bind9/9.18.49, https://downloads.isc.org/isc/bind9/9.20.23, and https://downloads.isc.org/isc/bind9/9.21.22, with full advisory context at https://kb.isc.org/docs/cve-2026-3039. The 9.16.x mainline reached end-of-life before this patch cycle, so operators still on 9.16.x must migrate to a supported branch (9.18.49 is the closest LTS-style target). As a compensating control where immediate patching is not possible, disable TKEY/GSS-API negotiation on the affected servers - note this will break secure dynamic updates from Active Directory clients and is generally not viable in AD-integrated environments; alternatively, restrict UDP/TCP port 53 access to only trusted domain controllers and member hosts via network ACLs or host firewalls to limit which sources can submit TKEY exchanges, accepting that this does not protect against compromised internal clients. Monitor named process RSS and configure systemd or process supervisors with memory limits and automatic restarts to contain the impact of a successful attempt, understanding this only reduces blast radius rather than preventing the bug.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-3039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy