CVE-2026-3039 PUBLISHED

BIND 9 server memory exhaustion during GSS-API TKEY negotiation

Assigner: isc
Reserved: 23.02.2026 Published: 20.05.2026 Updated: 20.05.2026

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor ISC
Product BIND 9
Versions Default: unaffected
  • affected from 9.0.0 to 9.16.50 (incl.)
  • affected from 9.18.0 to 9.18.48 (incl.)
  • affected from 9.20.0 to 9.20.22 (incl.)
  • affected from 9.21.0 to 9.21.21 (incl.)
  • affected from 9.9.3-S1 to 9.16.50-S1 (incl.)
  • affected from 9.18.11-S1 to 9.18.48-S1 (incl.)
  • affected from 9.20.9-S1 to 9.20.22-S1 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

No workarounds known.

Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Credits

  • ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.

References

Problem Types

  • CWE-771 Missing Reference to Active Allocated Resource CWE

Impacts

  • An attacker can construct and send packets to a BIND server that will cause it to allocate memory that is not subsequently released. Depending on the volume and frequency of the packets received, named will eventually fail due to memory exhaustion.