Multiple Critical BIND 9 Flaws Expose DNS Infrastructure to DoS, Code Execution, and Amplification Attacks
A wave of vulnerabilities in ISC BIND 9, including a critical use-after-free in DNS-over-HTTPS and an unbounded resend loop, puts millions of resolvers and authoritative servers at risk of remote exploitation.
The Internet Systems Consortium (ISC) has disclosed multiple vulnerabilities in its widely deployed BIND 9 DNS software suite, with several flaws rated critical or high severity. The vulnerabilities, cataloged in the BIND 9 Software Vulnerability Matrix, expose both recursive resolvers and authoritative name servers to denial-of-service (DoS), memory corruption, and potential remote code execution. The most severe issue is CVE-2026-3593, a heap use-after-free vulnerability in the DNS-over-HTTPS (DoH) implementation. This flaw can allow attackers to trigger memory corruption that may lead to crashes or, under specific conditions, arbitrary code execution. Given the growing adoption of DoH to encrypt DNS traffic, the attack surface is significant, particularly on resolvers deployed in enterprise and cloud environments.
Another critical vulnerability, CVE-2026-5950, stems from an unbounded resend loop in the resolver logic. Attackers can craft malicious DNS queries that force the resolver to repeatedly retransmit requests, gradually exhausting CPU and memory resources and causing a sustained denial of service. ISC warns that this flaw can be exploited remotely without authentication, making it particularly dangerous for public-facing recursive resolvers.
Additional vulnerabilities widen the risk profile. CVE-2026-5947 affects SIG(0) transaction signature validation during periods of high query load, potentially leading to undefined behavior and service instability. CVE-2026-5946 involves improper handling of DNS queries for non-IN (non-Internet) classes, which attackers can leverage to disrupt processing logic. Meanwhile, CVE-2026-3592 introduces amplification risks via self-referential glue records — a technique that can be weaponized in reflected distributed denial-of-service (DDoS) attacks, which have historically caused massive internet disruptions. CVE-2026-3039 further demonstrates memory exhaustion risks during GSS-API TKEY negotiation, degrading server performance.
ISC strongly urges administrators to upgrade to supported stable releases immediately. End-of-life (EOL) branches — from BIND 9.0 through 9.16 — remain widely deployed in some legacy environments despite no longer receiving security patches, making them prime targets. The organization advises against using alpha, beta, or release candidate builds in production. For environments where an immediate upgrade is not feasible, ISC recommends disabling unnecessary features such as DoH and applying rate limiting to mitigate potential amplification and flooding attacks.
Security teams should conduct thorough audits of their DNS infrastructure, inventory BIND versions across all servers, and prioritize patching for the most critical CVEs. Given the foundational role of DNS in network operations, exploitation of these vulnerabilities could lead to cascading outages affecting email, web, and application services. Continuous monitoring for anomalous query patterns and resource exhaustion symptoms is also recommended to detect in-the-wild exploitation attempts early.
These disclosures come amid a broader trend of heightened scrutiny on core internet infrastructure software. Recent months have seen critical vulnerabilities in NGINX, ChromaDB, and Microsoft Exchange Server, reinforcing the need for robust patch management and proactive vulnerability assessment across all layers of the technology stack.