CVE-2026-3593 Overview
CVE-2026-3593 is a use-after-free vulnerability [CWE-416] in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9. The flaw affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and subscription editions 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are not affected. The vulnerability is remotely reachable over the network without authentication or user interaction. Successful exploitation can crash the named service, disrupting DNS resolution for downstream clients.
Critical Impact
Remote attackers can trigger memory corruption in the BIND 9 DoH handler, leading to denial of service against authoritative or recursive DNS resolvers exposed to the internet.
Affected Products
- ISC BIND 9 versions 9.20.0 through 9.20.22
- ISC BIND 9 versions 9.21.0 through 9.21.21
- ISC BIND 9 Supported Preview Edition 9.20.9-S1 through 9.20.22-S1
Discovery Timeline
- 2026-05-20 - CVE-2026-3593 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-3593
Vulnerability Analysis
The vulnerability resides in the DNS-over-HTTPS code path that BIND 9 introduced in the 9.18 release series and expanded in 9.20 and 9.21. A use-after-free condition [CWE-416] occurs when the DoH handler references memory associated with an HTTP/2 stream or DNS message after it has been released. The bug is reachable over the network on instances configured to accept DoH queries on a listener defined with http and tls statements. Exploitation does not require authentication, but the attacker must win a timing or ordering condition within the asynchronous I/O pipeline, raising the attack complexity. Successful manipulation of the freed object can corrupt internal state in named, terminating the resolver process and interrupting service for all dependent clients.
Root Cause
The defect is a lifetime management error in the DoH transport layer. An object referenced by the HTTP/2 session or query context is released along one code path while another path retains and dereferences the stale pointer. Because BIND 9.18 lacks the refactored DoH code, those branches are not exposed to the same condition.
Attack Vector
An unauthenticated remote attacker sends crafted DoH requests to a listener configured to terminate https traffic on named. Repeated requests that exercise the racy free-and-reuse sequence cause the worker thread to dereference freed memory, crashing the daemon. The vulnerability cannot be triggered through plain DNS (UDP/53, TCP/53) or DNS-over-TLS listeners that do not share the affected DoH code path.
No verified public proof-of-concept code is available. See the ISC CVE-2026-3593 Documentation for vendor technical details.
Detection Methods for CVE-2026-3593
Indicators of Compromise
- Unexpected termination or repeated restart of the named process on resolvers exposed to DoH traffic.
- Crash signatures or SIGSEGV entries in system logs (journalctl -u named, /var/log/messages) correlated with inbound HTTPS traffic on the DoH listener port.
- Spikes in HTTP/2 requests to the /dns-query endpoint from a small set of source addresses.
Detection Strategies
- Inventory BIND 9 instances and identify hosts running affected 9.20.x and 9.21.x builds with named -v.
- Inspect named.conf for http listener stanzas that expose dns-query over TLS, and confirm whether those interfaces are reachable from untrusted networks.
- Alert on named process exits with non-zero status, especially when paired with inbound DoH traffic.
Monitoring Recommendations
- Monitor TCP/443 (or any custom DoH port) request rates and connection churn against authoritative and recursive resolvers.
- Capture netflow and reverse proxy logs in front of DoH listeners to retain attacker source attribution.
- Forward named query and resolver logs to a central log store with retention sufficient to investigate intermittent crashes.
How to Mitigate CVE-2026-3593
Immediate Actions Required
- Upgrade to BIND 9 9.20.23 or 9.21.22, which contain the fix for CVE-2026-3593.
- Subscription Edition users should upgrade to the corresponding patched -S1 build provided by ISC.
- If patching is not immediately possible, disable the DoH listener by removing http and tls statements that terminate dns-query on named.
- Restrict DoH listener exposure to trusted networks using firewall ACLs until patches are deployed.
Patch Information
ISC has published fixed releases. Refer to the ISC BIND 9.20.23 Release and the ISC BIND 9.21.22 Release for source tarballs and release notes. Operators using BIND 9.18 are not affected and do not require an upgrade for this CVE.
Workarounds
- Terminate DoH at an upstream reverse proxy or load balancer instead of named until the patched version is deployed.
- Disable DoH on named listeners and direct clients to DNS-over-TLS or traditional DNS where feasible.
- Apply rate limiting on the DoH endpoint to slow exploitation attempts against unpatched instances.
# Configuration example: disable DoH listener in named.conf until patched
# Comment out or remove http/tls listener blocks similar to the following:
#
# http local-http-server {
# endpoints { "/dns-query"; };
# };
#
# options {
# listen-on port 443 tls local-tls http local-http-server { any; };
# };
# Verify the running version after upgrade
named -v
# Expected output: BIND 9.20.23 or BIND 9.21.22
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
