Skip to content
Threat Feed
high threat

CVE-2026-3593 Use-After-Free Vulnerability in BIND 9 DNS-over-HTTPS

A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1 could allow an attacker to cause a denial of service or potentially execute arbitrary code.

CVE-2026-3593 describes a use-after-free vulnerability residing within the DNS-over-HTTPS (DoH) implementation of BIND 9. This flaw affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. Successful exploitation of this vulnerability could lead to a denial-of-service condition, where the BIND 9 server becomes unresponsive, or potentially allow an attacker to execute arbitrary code on the affected system. This vulnerability poses a significant risk to organizations relying on BIND 9 for DNS services, potentially disrupting network operations and compromising system integrity. Note that BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

Attack Chain

  1. An attacker sends a specially crafted DNS-over-HTTPS request to a vulnerable BIND 9 server.
  2. The BIND 9 server attempts to process the malicious DoH request.
  3. Due to the vulnerability, the server accesses a memory location that has already been freed.
  4. This use-after-free condition leads to memory corruption within the BIND 9 process.
  5. The memory corruption can cause the server to crash, resulting in a denial-of-service.
  6. In a more sophisticated attack, the attacker might be able to manipulate the memory corruption to execute arbitrary code.
  7. Successful code execution allows the attacker to gain control over the BIND 9 server.
  8. The attacker can then use the compromised server to launch further attacks or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-3593 can result in a denial-of-service condition for affected BIND 9 servers, disrupting DNS resolution services for dependent networks and applications. In a more severe scenario, the vulnerability could be leveraged to achieve arbitrary code execution, allowing attackers to gain control over the BIND 9 server and potentially compromise the entire network infrastructure. The impact will vary depending on the criticality of the affected BIND 9 servers within the organization’s infrastructure.

Recommendation

  • Upgrade to BIND 9 versions 9.20.23 or 9.21.22 to remediate CVE-2026-3593, as recommended by the Internet Systems Consortium (ISC) advisory (https://kb.isc.org/docs/cve-2026-3593).
  • Monitor network traffic for unusual DNS-over-HTTPS requests that may indicate exploitation attempts, using a network intrusion detection system (NIDS).
  • Deploy the provided Sigma rule detecting unusual process execution originating from named, indicating potential exploitation attempts of CVE-2026-3593.

Detection coverage 2

Detect CVE-2026-3593 Exploitation Attempt — Unusual named Process Execution

high

Detects CVE-2026-3593 exploitation attempt — unusual process execution originating from named, potentially indicating a use-after-free vulnerability leading to code execution

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detect CVE-2026-3593 Exploitation Attempt — named Crash

medium

Detects CVE-2026-3593 exploitation attempt — a crash of the named process, which could be indicative of a use-after-free condition

sigma tactics: availability techniques: T1499 sources: system, linux

Detection queries are available on the platform. Get full rules →