SB20260325211 - Fedora 43 update for bind9-next

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260325211

SB20260325211 - Fedora 43 update for bind9-next

Published: March 25, 2026

Security Bulletin ID SB20260325211
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2026-1519)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the DNSSEC validation component when handling NSEC3 records during insecure delegation validation. A remote attacker can send a specially crafted DNS zone response to cause excessive CPU load on the resolver.

Resolvers performing DNSSEC validation are affected; authoritative-only servers are generally not affected unless they perform recursive queries.


2) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-3104)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper memory management in the DNSSEC proof preparation component when handling recursive queries for a specially crafted domain. A remote attacker can send a specially crafted domain query to cause unbounded memory consumption, leading to an out-of-memory condition and potential service termination during shutdown or reload.

Resolvers are affected; authoritative servers may be at risk if they perform recursive queries.


3) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-3119)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper handling of TKEY records in the DNS query processing component when processing a signed query containing a TKEY record. A remote user can send a specially crafted, correctly signed query containing a TKEY record to cause named to terminate unexpectedly.

Successful exploitation requires that the attacker possesses a valid TSIG key configured in the target's named configuration. Both authoritative servers and resolvers are affected.


4) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2026-3591)

The vulnerability allows a remote user to bypass access controls.

The vulnerability exists due to a use-after-return error in the SIG(0) handling code in named when processing specially crafted DNS queries. A remote user can send a specially crafted DNS request to cause an ACL to improperly (mis)match an IP address, potentially leading to unauthorized access in default-allow ACL configurations.

Authoritative servers and resolvers are affected. In a default-allow ACL (which denies only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail securely.


Remediation

Install update from vendor's website.

References