EUVD-2026-31108
GHSA-8v2c-7qqj-7wp7
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
AnalysisAI
Use-after-free in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9 (9.20.0-9.20.22, 9.21.0-9.21.21, and Subscription Edition 9.20.9-S1-9.20.22-S1) allows remote attackers to corrupt freed memory in the resolver/server process, potentially causing denial of service and possible information disclosure. The 9.18.x branch (including 9.18.11-S1 through 9.18.48-S1) is explicitly unaffected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all BIND 9 deployments and confirm whether any run versions 9.20.0-9.20.22, 9.21.0-9.21.21, or Subscription Edition 9.20.9-S1-9.20.22-S1 (9.18.x branch is unaffected). Within 7 days: Apply vendor-released patches to upgrade affected systems to non-vulnerable versions. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today