Skip to main content

BIND 9 CVE-2026-3593

| EUVDEUVD-2026-31108 CRITICAL
Use After Free (CWE-416)
2026-05-20 isc GHSA-8v2c-7qqj-7wp7
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

DoH endpoint is remote and unauthenticated (AV:N/PR:N), but a UAF most plausibly yields a crash (A:H) with limited heap disclosure (C:L) rather than confirmed integrity/code-execution impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 03:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.4 (HIGH) 9.8 (CRITICAL)
Analysis Generated
May 20, 2026 - 13:31 vuln.today

DescriptionNVD

A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

AnalysisAI

Memory corruption in ISC BIND 9's DNS-over-HTTPS (DoH) implementation lets remote attackers trigger a use-after-free (CWE-416) by interacting with the DoH endpoint, affecting BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription builds; the older 9.18.x branch is explicitly not affected. The vendor scores it CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), implying unauthenticated remote impact, though CISA's SSVC rates technical impact as only 'partial' and exploitation as 'none'. There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 7th percentile), indicating no observed exploitation activity.

Technical ContextAI

BIND 9 is the Internet Systems Consortium's reference DNS server, and this flaw lives specifically in its DNS-over-HTTPS (DoH, RFC 8484) transport, where DNS queries are tunneled over HTTP/2 inside TLS. The root cause is CWE-416 (use-after-free): an object backing a DoH connection or query is freed while a pointer to it is still in use, so a subsequent dereference operates on reclaimed heap memory. Depending on heap state this can crash named (denial of service) or, as the 'Information Disclosure' and 'Memory Corruption' tags suggest, leak adjacent heap contents; full code execution is theoretically possible with UAF classes but is not demonstrated here. The single CPE provided, cpe:2.3:a:isc:bind_9:*, confirms the affected component is the BIND 9 nameserver itself rather than client tooling, and exploitation is only reachable when the DoH listener is actually enabled in named.conf.

RemediationAI

Vendor-released patch: upgrade to BIND 9.20.23 (https://downloads.isc.org/isc/bind9/9.20.23) for the 9.20 branch or 9.21.22 (https://downloads.isc.org/isc/bind9/9.21.22) for the 9.21 branch; subscription users on 9.20.x-S1 should obtain the corresponding fixed -S build from ISC support. If you run distribution packages, apply the vendor errata instead - Ubuntu USN-8293-1 (https://ubuntu.com/security/notices/USN-8293-1) or Red Hat RHSA-2026:7412 (https://access.redhat.com/errata/RHSA-2026:7412). As an immediate compensating control where patching must wait, disable the DoH listener by removing the 'https' (DoH) entries from the listen-on/listen-on-v6 statements in named.conf, which fully closes the attack surface at the cost of losing encrypted DoH service to clients; alternatively, if DoH must remain available, restrict reachability of the DoH TCP port (typically 443/853 as configured) with a firewall so only trusted resolvers/clients can connect, accepting that this does not protect against authorized-but-malicious clients. See the ISC advisory at https://kb.isc.org/docs/cve-2026-3593 for definitive guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-3593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy