CVE-2026-3039

Vulnerability

BIND 9 servers configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when processing specially constructed packets [1]. The issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, as well as Supported Preview Edition versions 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1 [1]. Such servers are typically found in Active Directory integrated DNS deployments and Kerberos-secured DNS environments [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending specifically crafted packets to a vulnerable BIND server [1]. The attacker does not require any prior access or privileges; the packets trigger memory allocation that is not released [1]. Depending on the volume and frequency of such packets, the named process will eventually exhaust available memory [1]. No active exploits have been reported as of the advisory publication date [1].

Impact

Successful exploitation leads to a denial of service (DoS) condition, where the named process fails due to memory exhaustion [1]. The attack impacts system availability (A) but does not affect confidentiality (C) or integrity (I), resulting in a CVSS v3.1 base score of 7.5 (High) [1]. The named service must be restarted to recover functionality.

Mitigation

The vendor, ISC, has released patched versions: 9.18.49, 9.20.23, and 9.21.22 for the main branch, and 9.18.49-S1 and 9.20.23-S1 for the Supported Preview Edition [1][2][3][4]. These updates are available from ISC's official download site. No workarounds are known [1]. End-of-life (EoL) versions of BIND are believed to be vulnerable and should be upgraded or replaced [1].