Security Alert: ISC Releases Patches for Critical BIND 9 Flaws

The Internet Systems Consortium (ISC) has rolled out urgent updates for BIND 9. These patches address several critical BIND 9 flaws affecting global DNS infrastructure. Furthermore, these newly disclosed vulnerabilities expose resolvers and authoritative servers to remote exploits. Consequently, network administrators must prioritize upgrades to prevent service disruptions.

Severe Memory Exploits Threaten Servers

Additionally, the advisory highlights a high-severity memory leak tracked as CVE-2026-3039. BIND servers using TKEY-based authentication via GSS-API tokens face severe memory exhaustion when processing malicious packets. An unauthenticated attacker can remotely transmit corrupted data to trigger non-released memory allocation. Therefore, the system daemon eventually crashes due to out-of-memory errors. Typically, this flaw impacts Active Directory integrated DNS deployments or Kerberos-secured setups.

Another severe memory issue affects the DNS-over-HTTPS implementation under CVE-2026-3593. Specifically, malicious HTTP/2 traffic sent to a secure endpoint triggers memory corruption via a use-after-free flaw. Authoritative servers and resolvers are equally vulnerable to this flaw. However, administrators can disable DNS-over-HTTPS as an immediate workaround.

Assertion Failures and Resource Loops

Furthermore, ISC addressed a critical termination bug listed as CVE-2026-5946. This vulnerability involves the invalid handling of non-Internet (IN) data classes like CHAOS or HESIOD. Attackers can send specially crafted requests to cause instant assertion failures in the system. As a result, the named process terminates unexpectedly.

Similarly, CVE-2026-5947 introduces a dangerous use-after-free race condition during query floods. If the server reaches its “recursive-clients” limit while validating a SIG(0) signature, it may read a discarded message. This improper read leads to an immediate program abort.

Meanwhile, CVE-2026-5950 details an unbounded resend loop within the resolver state machine. Unauthenticated remote actors can intentionally trigger specific retry loops during bad-server handling. This loop causes severe resource exhaustion on the host.

Glue Record Amplification Tactics

The final advisory, CVE-2026-3592, exposes an amplification vector using self-pointed glue records. If a resolver queries a specially crafted zone, it will consume a disproportionate amount of bandwidth. Consequently, this resource draining impairs normal TCP operations.

Recommended Patching Strategy

To secure your environment against these critical BIND 9 flaws, you must apply official software upgrades immediately. ISC recommends moving to versions 9.18.49, 9.20.23, or 9.21.22 based on your release track. Alternatively, customers using the Supported Preview Edition should transition to safe builds like 9.18.49-S1 or 9.20.23-S1. Maintaining a fast update routine remains the best protection for your network edge.