SB2026052202 - Multiple vulnerabilities in ISC BIND
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2026-5950)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper control of resource consumption in the resolver state machine bad-server handling in BIND 9 when processing queries that trigger specific retry conditions. A remote attacker can send specially crafted queries to cause a denial of service.
Resolvers are affected, while authoritative services are believed to be unaffected.
2) Use-after-free (CVE-ID: CVE-2026-5947)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in SIG(0) validation when processing a DNS message signed with SIG(0) while the recursive-clients limit is reached during a query flood. A remote attacker can send specially crafted DNS traffic to cause a denial of service.
Both authoritative servers and resolvers are affected.
3) Improper handling of exceptional conditions (CVE-ID: CVE-2026-5946)
CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of non-internet dns class values in named when processing specially crafted dns messages. A remote attacker can send specially crafted dns messages to cause a denial of service.
Affected code paths include recursion, dynamic updates, zone change notifications, and processing of IN-specific record types in non-IN data. Both authoritative servers and resolvers are affected.
4) Use-after-free (CVE-ID: CVE-2026-3593)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.
The vulnerability exists due to use-after-free in the DNS-over-HTTPS implementation when processing crafted HTTP/2 traffic sent to a DNS-over-HTTPS endpoint. A remote attacker can send crafted HTTP/2 traffic to disclose sensitive information and cause a denial of service.
Both authoritative servers and resolvers are affected.
5) Resource exhaustion (CVE-ID: CVE-2026-3592)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of self-pointed glue records in BIND resolver processing when resolving names in a specially crafted zone. A remote attacker can induce the resolver to query a specially crafted zone to cause a denial of service.
The issue predominantly affects recursive resolvers. Authoritative-only servers containing only trustworthy zones and names are believed to be unaffected.
6) Memory leak (CVE-ID: CVE-2026-3039)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in the GSS-API TKEY negotiation handling in BIND 9 when processing maliciously constructed packets. A remote attacker can send specially crafted packets to cause a denial of service.
Only servers configured to use TKEY-based authentication via GSS-API tokens are vulnerable.
Remediation
Install update from vendor's website.