Description
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
Published: 2026-05-20
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap use‑after‑free flaw exists in the DNS‑over‑HTTPS component of BIND 9. The vulnerability allows an attacker to manipulate DoH requests so that a freed memory object is accessed again, which can corrupt process memory and crash the service. The description does not confirm that this can be leveraged for code execution, but memory corruption could lead to denial of service or provide a foothold for more advanced attacks.

Affected Systems

ISC BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the 9.20.9‑S1 through 9.20.22‑S1 release lines are affected. Versions 9.18.0 through 9.18.48 and 9.18.11‑S1 through 9.18.48‑S1 are not impacted.

Risk and Exploitability

The CVSS score of 7.4 classifies the issue as high severity. EPSS data is not available, but the DoH service is exposed to the network, making remote exploitation plausible. The vulnerability is not listed in the CISA KEV catalog. As the flaw can be triggered by remotely sent DoH packets, the likely attack vector is remote over the network, requiring only access to the configured DoH port. Until the patch is applied, any deployment with DoH enabled should be treated as high risk.

Generated by OpenCVE AI on May 20, 2026 at 15:06 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1.

Vendor Workaround

Configurations not using DNS-over-HTTPS should not be affected. Disabling DNS-over-HTTPS is likewise an effective workaround.

OpenCVE Recommended Actions

  • Upgrade ISC BIND 9 to release 9.20.23, 9.21.22, or 9.20.23‑S1 to apply the patch for the use‑after‑free flaw.
  • If an immediate upgrade is not feasible, disable the DNS‑over‑HTTPS service in the BIND configuration to prevent exploitation of the vulnerability.
  • To restrict exposure while the patch is pending, restrict DoH traffic to trusted IP ranges or enforce firewall rules that limit access to the DoH port.

Generated by OpenCVE AI on May 20, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
Title Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation
First Time appeared Isc
Isc bind
Weaknesses CWE-416
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:40:45.166Z

Reserved: 2026-03-05T12:57:16.981Z

Link: CVE-2026-3593

cve-icon Vulnrichment

Updated: 2026-05-20T13:40:40.119Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T13:16:23.923

Modified: 2026-05-20T14:04:57.320

Link: CVE-2026-3593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:15:06Z

Weaknesses