Full Report
ISC BIND security advisory (AV26-490)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in ISC BIND 9
## CVE Details
- **CVE ID:** CVE-2026-3039, CVE-2026-5947, CVE-2026-5946, CVE-2026-3593
- **CVSS Score:** Varied (Detailed per CVE below; generally High/Critical for BIND updates)
- **CWE:**
- CVE-2026-3039: CWE-400 (Uncontrolled Resource Consumption)
- CVE-2026-5947: CWE-697 (Incorrect Comparison) / Undefined Behavior
- CVE-2026-5946: CWE-20 (Improper Input Validation)
- CVE-2026-3593: CWE-416 (Use After Free)
## Affected Systems
- **Products:** ISC BIND 9 and BIND Supported Preview Edition
- **Versions:**
- 9.0.0 through 9.16.50
- 9.18.0 through 9.18.48
- 9.20.0 through 9.20.22
- 9.21.0 through 9.21.21
- Supported Preview Edition: 9.9.3-S1 through 9.20.22-S1
- **Configurations:** Systems utilizing GSS-API/TKEY negotiation, SIG(0) validation, non-IN CLASS records, or DNS-over-HTTPS (DoH).
## Vulnerability Description
This advisory addresses four distinct flaws in the BIND 9 DNS suite:
1. **CVE-2026-3039:** A resource management flaw where a server may experience memory exhaustion during GSS-API TKEY negotiation, potentially leading to a Denial of Service (DoS).
2. **CVE-2026-5947:** Logic errors during double-validation of SIG(0) signatures under high query volume (flood conditions) can result in undefined behavior or daemon crashes.
3. **CVE-2026-5946:** Incorrect handling of DNS resource records where the CLASS is not Internet (IN), leading to processing errors.
4. **CVE-2026-3593:** A critical memory corruption flaw (Heap Use-After-Free) localized within the DNS-over-HTTPS (DoH) implementation, which could lead to remote code execution or service termination.
## Exploitation
- **Status:** Not currently reported as exploited in the wild (refer to ISC Matrix for live updates).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** Low to High (High for CVE-2026-3593).
- **Integrity:** Low to High.
- **Availability:** High (Critical for DoS scenarios).
## Remediation
### Patches
Users are advised to upgrade to the following versions or later:
- BIND 9.18.49
- BIND 9.20.23
- BIND 9.21.22
- BIND Supported Preview Edition 9.18.49-S1 or 9.20.23-S1
### Workarounds
- **For CVE-2026-3593:** Disable DNS-over-HTTPS (DoH) in the configuration if not strictly required.
- **For CVE-2026-3039:** Restrict GSS-API TKEY negotiation to trusted clients only.
- **General:** Implement rate limiting (RRL) to mitigate query flood impacts.
## Detection
- **Indicators of Compromise:** High memory consumption in `named` process; unexpected service restarts; log entries indicating SIG(0) validation failures or GSS-API errors.
- **Detection Methods and Tools:** Monitor system logs for BIND crash dumps (core files) and audit configurations using `named-checkconf`.
## References
- ISC Security Advisory CVE-2026-3039: hxxps[://]kb[.]isc[.]org/docs/cve-2026-3039
- ISC Security Advisory CVE-2026-5947: hxxps[://]kb[.]isc[.]org/docs/cve-2026-5947
- ISC Security Advisory CVE-2026-5946: hxxps[://]kb[.]isc[.]org/docs/cve-2026-5946
- ISC Security Advisory CVE-2026-3593: hxxps[://]kb[.]isc[.]org/docs/cve-2026-3593
- BIND 9 Security Vulnerability Matrix: hxxps[://]kb[.]isc[.]org/docs/aa-00913
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/isc-bind-security-advisory-av26-490