CVE-2026-3039 Overview
CVE-2026-3039 is a memory exhaustion vulnerability in ISC BIND 9 DNS servers configured to use TKEY-based authentication via Generic Security Service Application Program Interface (GSS-API) tokens. An unauthenticated remote attacker can send maliciously-constructed packets that cause the server to consume excessive memory. The affected deployments are typically Active Directory integrated DNS servers and Kerberos-secured DNS environments. The flaw is classified under [CWE-771] Missing Reference to Active Allocated Resource.
Critical Impact
Remote unauthenticated attackers can exhaust server memory on BIND deployments using TKEY GSS-API authentication, disrupting DNS resolution for Active Directory and Kerberos-integrated environments.
Affected Products
- ISC BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21
- ISC BIND 9 Supported Preview Edition versions 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1
- BIND DNS servers configured for TKEY-based GSS-API authentication, including Active Directory integrated DNS
Discovery Timeline
- 2026-05-20 - CVE-2026-3039 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-3039
Vulnerability Analysis
The vulnerability resides in BIND 9's handling of TKEY (Transaction Key) resource records that use GSS-API tokens for authenticated key negotiation. TKEY exchanges are used to establish shared secrets between DNS clients and servers, most commonly in Active Directory environments where Kerberos is the underlying authentication mechanism. When BIND processes a specially crafted TKEY query, the server allocates memory to handle the GSS-API negotiation but fails to release that memory under specific conditions. Repeated malicious queries cause memory consumption to grow until the server becomes unresponsive or is terminated by the host operating system. The impact is limited to availability — the flaw does not expose data or permit code execution.
Root Cause
The underlying defect is a missing release of an allocated resource [CWE-771]. The TKEY/GSS-API processing path allocates buffers and context structures that are not consistently freed when malformed or adversarial input is supplied. Each unhandled allocation increases the resident memory footprint of the named process.
Attack Vector
Exploitation requires only network reachability to UDP/TCP port 53 of a vulnerable BIND resolver or authoritative server configured for GSS-TSIG. No authentication or user interaction is required. The attacker sends a sequence of maliciously-constructed TKEY queries containing GSS-API tokens that trigger the leak. Detailed exploitation primitives are not published; refer to the ISC CVE-2026-3039 Documentation for vendor-supplied technical context.
Detection Methods for CVE-2026-3039
Indicators of Compromise
- Sustained, abnormal growth of resident memory used by the named process without a corresponding increase in legitimate query volume
- Elevated rate of inbound DNS queries containing TKEY records (query type 249) from a small number of source addresses
- BIND log entries referencing repeated GSS-API or gss-tsig negotiation failures
- named process restarts or out-of-memory (OOM) kills recorded in system logs
Detection Strategies
- Inspect DNS traffic for unusual volumes of TKEY queries, particularly toward servers that are not domain controllers and should not receive GSS-TSIG traffic
- Correlate memory consumption metrics for named with inbound TKEY query rates over time
- Enable BIND query logging on TKEY-capable servers and alert on anomalous source IP distribution
Monitoring Recommendations
- Track named process resource usage with host monitoring agents and alert on memory growth exceeding a defined baseline
- Forward BIND query and security logs to a centralized SIEM for correlation with network telemetry
- Monitor authoritative and recursive DNS servers separately, since exposure depends on whether GSS-TSIG is configured
How to Mitigate CVE-2026-3039
Immediate Actions Required
- Upgrade BIND to a fixed release: 9.18.49, 9.20.23, or 9.21.22 as published by ISC
- Identify all BIND instances configured with tkey-gssapi-keytab or tkey-gssapi-credential and prioritize patching those systems
- Restrict network access to DNS services so that only trusted clients can reach servers that accept TKEY queries
Patch Information
ISC has released fixed versions. Administrators should install ISC BIND 9.18.49 Release, ISC BIND 9.20.23 Release, or ISC BIND 9.21.22 Release depending on the deployed branch. Supported Preview Edition customers should consult ISC for the corresponding -S1 releases. Full vendor guidance is available in the ISC CVE-2026-3039 Documentation.
Workarounds
- Disable TKEY GSS-API authentication on BIND servers that do not require it by removing tkey-gssapi-keytab and tkey-gssapi-credential directives from named.conf
- Apply firewall rules to allow DNS traffic only from authenticated internal clients and domain controllers that legitimately use GSS-TSIG
- Place rate limits on TKEY queries at upstream network devices to slow exhaustion attempts until patches can be deployed
# Configuration example - disable GSS-TSIG if not required
# Remove or comment out the following lines in named.conf:
# tkey-gssapi-keytab "/etc/named/dns.keytab";
# tkey-gssapi-credential "DNS/server.example.com";
# Restart BIND after changes
sudo systemctl restart named
# Verify the running version after upgrade
named -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
