BIND 9 (9.20.0 Through 9.20.22) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/bind-9-9.20.0-through-9.20.22/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 20 May 2026 13:19:04 +0000CVE-2026-3593 Use-After-Free Vulnerability in BIND 9 DNS-over-HTTPShttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-3593/Wed, 20 May 2026 13:19:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-3593/A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1 could allow an attacker to cause a denial of service or potentially execute arbitrary code.CVE-2026-3593 describes a use-after-free vulnerability residing within the DNS-over-HTTPS (DoH) implementation of BIND 9. This flaw affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. Successful exploitation of this vulnerability could lead to a denial-of-service condition, where the BIND 9 server becomes unresponsive, or potentially allow an attacker to execute arbitrary code on the affected system. This vulnerability poses a significant risk to organizations relying on BIND 9 for DNS services, potentially disrupting network operations and compromising system integrity. Note that BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

Attack Chain

  1. An attacker sends a specially crafted DNS-over-HTTPS request to a vulnerable BIND 9 server.
  2. The BIND 9 server attempts to process the malicious DoH request.
  3. Due to the vulnerability, the server accesses a memory location that has already been freed.
  4. This use-after-free condition leads to memory corruption within the BIND 9 process.
  5. The memory corruption can cause the server to crash, resulting in a denial-of-service.
  6. In a more sophisticated attack, the attacker might be able to manipulate the memory corruption to execute arbitrary code.
  7. Successful code execution allows the attacker to gain control over the BIND 9 server.
  8. The attacker can then use the compromised server to launch further attacks or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-3593 can result in a denial-of-service condition for affected BIND 9 servers, disrupting DNS resolution services for dependent networks and applications. In a more severe scenario, the vulnerability could be leveraged to achieve arbitrary code execution, allowing attackers to gain control over the BIND 9 server and potentially compromise the entire network infrastructure. The impact will vary depending on the criticality of the affected BIND 9 servers within the organization’s infrastructure.

Recommendation

  • Upgrade to BIND 9 versions 9.20.23 or 9.21.22 to remediate CVE-2026-3593, as recommended by the Internet Systems Consortium (ISC) advisory (https://kb.isc.org/docs/cve-2026-3593).
  • Monitor network traffic for unusual DNS-over-HTTPS requests that may indicate exploitation attempts, using a network intrusion detection system (NIDS).
  • Deploy the provided Sigma rule detecting unusual process execution originating from named, indicating potential exploitation attempts of CVE-2026-3593.
]]>highthreatcvednsuse-after-freedenial-of-serviceremote-code-execution