CVE-2026-3104 PUBLISHED

Memory leak in code preparing DNSSEC proofs of non-existence

Assigner: isc
Reserved: 24.02.2026 Published: 25.03.2026 Updated: 25.03.2026

A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ISC
Product	BIND 9
Versions	Default: unaffected affected from 9.20.0 to 9.20.20 (incl.) affected from 9.21.0 to 9.21.19 (incl.) affected from 9.20.9-S1 to 9.20.20-S1 (incl.) unaffected from 9.18.0 to 9.18.46 (incl.) unaffected from 9.18.11-S1 to 9.18.46-S1 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

No workarounds known.

Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1.

Credits

ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.

References

Problem Types

CWE-772 Missing Release of Resource after Effective Lifetime CWE

Impacts

If a BIND resolver is asked to query a specially crafted domain, memory will not be recovered by `named`. This can cause unbounded growth of Resident Set Size (RSS) memory, which may lead to an out-of-memory condition. Additionally, `named` will exit with an assertion failure if a shutdown or reload is attempted.