Description
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
Published: 2026-05-20
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap use‑after‑free flaw exists in the DNS‑over‑HTTPS component of BIND 9. The vulnerability allows an attacker to manipulate DoH requests so that a freed memory object is accessed again, which can corrupt process memory and crash the service. The description does not confirm that this can be leveraged for code execution, but memory corruption could lead to denial of service or provide a foothold for more advanced attacks.

Affected Systems

ISC BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the 9.20.9‑S1 through 9.20.22‑S1 release lines are affected. Versions 9.18.0 through 9.18.48 and 9.18.11‑S1 through 9.18.48‑S1 are not impacted.

Risk and Exploitability

The CVSS score of 7.4 classifies the issue as high severity. The EPSS score of 0.00024 indicates a very low probability of exploitation, yet the DoH service is exposed to the network, making remote exploitation plausible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is remote over the network, requiring only access to the configured DoH port. Until the patch is applied, any deployment with DoH enabled should be treated as high risk.

Generated by OpenCVE AI on May 22, 2026 at 02:52 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1.

Vendor Workaround

Configurations not using DNS-over-HTTPS should not be affected. Disabling DNS-over-HTTPS is likewise an effective workaround.

OpenCVE Recommended Actions

  • Upgrade ISC BIND 9 to release 9.20.23, 9.21.22, or 9.20.23‑S1 to apply the patch for the use‑after‑free flaw.
  • If an immediate upgrade is not feasible, disable the DNS‑over‑HTTPS service in the BIND configuration to prevent exploitation of the vulnerability.
  • To restrict exposure while the patch is pending, restrict DoH traffic to trusted IP ranges or enforce firewall rules that limit access to the DoH port.

Generated by OpenCVE AI on May 22, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
Ubuntu USN Ubuntu USN USN-8293-1 Bind vulnerabilities
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
Title Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation
First Time appeared Isc
Isc bind
Weaknesses CWE-416
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:40:45.166Z

Reserved: 2026-03-05T12:57:16.981Z

Link: CVE-2026-3593

cve-icon Vulnrichment

Updated: 2026-05-20T13:40:40.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:23.923

Modified: 2026-05-21T15:24:31.413

Link: CVE-2026-3593

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-21T11:59:02Z

Links: CVE-2026-3593 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T03:00:12Z

Weaknesses