Skip to main content

Bind 9 CVE-2026-3104

| EUVDEUVD-2026-15410 HIGH
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-03-25 isc GHSA-vwv5-298p-pw28
7.5
CVSS 3.1 · Vendor: isc
Share

Severity by source

Vendor (isc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (isc).

CVSS VectorVendor: isc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
PoC Detected
Mar 25, 2026 - 15:41 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 14:00 euvd
EUVD-2026-15410
Analysis Generated
Mar 25, 2026 - 14:00 vuln.today
Patch released
Mar 25, 2026 - 14:00 nvd
Patch available
CVE Published
Mar 25, 2026 - 13:29 nvd
HIGH 7.5

DescriptionCVE.org

A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

AnalysisAI

Memory exhaustion in BIND 9 resolver allows unauthenticated remote attackers to cause denial of service by querying specially crafted domains, affecting versions 9.20.0-9.20.20, 9.21.0-9.21.19, and 9.20.9-S1-9.20.20-S1. The vulnerability stems from improper memory management (CWE-772) and can be triggered without authentication or user interaction. Patches are available for affected Ubuntu, SUSE, and Debian systems.

Technical ContextAI

BIND (Berkeley Internet Name Domain) is the most widely deployed DNS server software on the Internet, developed and maintained by the Internet Systems Consortium (ISC). This vulnerability affects the BIND 9 resolver component across specific version ranges as identified by CPE cpe:2.3:a:isc:bind_9:*:*:*:*:*:*:*:*. The root cause is classified as CWE-772 (Missing Release of Resource after Effective Lifetime), which occurs when allocated memory is not properly freed after use. In DNS resolvers, this type of flaw typically manifests during query processing where domain name handling or response parsing fails to deallocate temporary memory structures, leading to progressive memory consumption with each malicious query. Notably, the vulnerability appears to have been introduced in version 9.20.0, as the entire 9.18.x branch including versions through 9.18.46 is explicitly unaffected.

RemediationAI

Upgrade affected BIND 9 installations immediately to version 9.20.21 or later for the 9.20 branch (download available at https://downloads.isc.org/isc/bind9/9.20.21) or to version 9.21.20 or later for the 9.21 branch (download available at https://downloads.isc.org/isc/bind9/9.21.20). Organizations unable to patch immediately should consider temporarily switching to the unaffected 9.18 branch or implementing rate limiting and query filtering at the network perimeter to reduce exposure to malicious domain queries. Monitor memory utilization closely on affected resolvers to detect potential exploitation attempts and implement automated restart procedures if memory consumption patterns become abnormal. Consult the ISC security advisory at https://kb.isc.org/docs/cve-2026-3104 for complete remediation guidance and any additional vendor recommendations.

Vendor StatusVendor

Ubuntu

Priority: Medium
bind9
Release Status Version
trusty not-affected -
xenial not-affected -
bionic not-affected -
focal not-affected -
jammy not-affected 1:9.18.39-0ubuntu0.22.04.2
noble not-affected 1:9.18.39-0ubuntu0.24.04.2
upstream released 9.20.21,9.21.20
questing released 1:9.20.11-1ubuntu2.2
isc-dhcp
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic needs-triage -
focal not-affected code not present
jammy not-affected code not present
noble needs-triage -
questing needs-triage -
upstream needs-triage -
bind9-libs
Release Status Version
focal needs-triage -
jammy needs-triage -
noble DNE -
questing DNE -
upstream needs-triage -

Debian

bind9
Release Status Fixed Version Urgency
bullseye vulnerable 1:9.16.50-1~deb11u2 -
bullseye (security) vulnerable 1:9.16.50-1~deb11u4 -
bookworm vulnerable 1:9.18.41-1~deb12u1 -
bookworm (security) vulnerable 1:9.18.44-1~deb12u1 -
trixie (security), trixie vulnerable 1:9.20.18-1~deb13u1 -
forky vulnerable 1:9.20.20-1 -
sid vulnerable 1:9.20.21-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-3104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy