Internet Systems Consortium (ISC) disclosed six vulnerabilities in BIND 9 and released patched versions 9.18.49, 9.20.23, and 9.21.22. The issues include CVE-2026-3039, a high-severity memory-exhaustion flaw during GSS-API TKEY negotiation that can crash named; CVE-2026-3593, a high-severity heap use-after-free in the DNS-over-HTTPS implementation triggered by crafted HTTP/2 traffic; CVE-2026-3592, an amplification issue involving self-pointed glue records that can drive disproportionate bandwidth and resource consumption; CVE-2026-5947, a race condition in SIG(0) validation under query-flood conditions that can lead to undefined behavior and process crashes; plus additional flaws involving invalid handling of CLASS != IN and an unbounded resend loop in the resolver.
ISC said the vulnerabilities are remotely exploitable in affected configurations, with the most serious impacts centered on denial of service, memory corruption, and resolver abuse rather than confirmed code execution. Exposure depends on feature use: the GSS-API issue is especially relevant to Active Directory-integrated or Kerberos-secured DNS deployments, while the DoH flaw affects only servers with DNS-over-HTTPS enabled and can be mitigated by disabling that feature until upgrades are applied. ISC reported no known active exploitation at disclosure time, said no workaround is known for several of the bugs, and credited external researchers including Vitaly Simonovich, Naoki Wakamatsu, Naresh Kandula Parmar, and Shuhan Zhang for reporting the flaws.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Debian issued security advisory DSA 6285-1 for bind9, making distribution-specific security updates available in response to the BIND 9 vulnerabilities disclosed by ISC. This marks downstream packaging and release of fixes for Debian systems.
Alongside the disclosure, ISC released updated BIND 9 versions 9.18.49, 9.20.23, and 9.21.22 to address the newly disclosed vulnerabilities. ISC also stated that prepared software packages could now be released publicly.
ISC publicly disclosed six vulnerabilities affecting BIND 9, including CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, and CVE-2026-5950, after the embargo period ended. The issues included denial-of-service, amplification, use-after-free, undefined behavior, and resolver loop conditions.
ISC sent early notifications for at least CVE-2026-5947 and CVE-2026-3593 ahead of public disclosure. The advisories indicate this early notification occurred one week before publication.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityonline.info
Open sourcemsrc.microsoft.com
Open sourcecyber.gc.ca
Open sourcelists.debian.org
Open sourcekb.isc.org
Open sourcekb.isc.org
Open sourcekb.isc.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.