CVE-2026-3593

Vulnerability

A use-after-free vulnerability exists in the DNS-over-HTTPS (DoH) implementation of BIND 9. The issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.22-S1 [1]. Versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are not affected [1]. The flaw can be triggered by crafted HTTP/2 traffic sent to a DNS-over-HTTPS endpoint [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack complexity is high, as the attacker must send specially crafted HTTP/2 traffic to a resolver or authoritative server that has DNS-over-HTTPS enabled [1]. No user interaction is required. The precise sequence of steps involves sending HTTP/2 frames that cause a use-after-free condition in the DoH handling code, leading to memory corruption [1].

Impact

Successful exploitation results in memory corruption, which can lead to a denial of service due to application crash (availability impact) or potential information disclosure (confidentiality impact) [1]. The CVSS v3.1 score is 7.4 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating low attack complexity and no privileges required, but high attack complexity [1]. The vulnerability affects both authoritative servers and resolvers [1].

Mitigation

ISC has released patched versions: BIND 9.20.23, 9.21.22, and BIND Supported Preview Edition 9.20.23-S1 [1][2][3]. Users should upgrade to the appropriate patched release. Configurations not using DNS-over-HTTPS are not affected; disabling DNS-over-HTTPS is an effective workaround [1]. No active exploits are known at the time of disclosure [1].