{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/isc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3039"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIND 9"],"_cs_severities":["medium"],"_cs_tags":["cve","cve-2026-3039","bind9","denial-of-service","memory-consumption"],"_cs_type":"advisory","_cs_vendors":["ISC"],"content_html":"\u003cp\u003eISC BIND 9 is vulnerable to excessive memory consumption (CVE-2026-3039) when processing maliciously crafted packets targeting servers using TKEY-based authentication via GSS-API tokens. This configuration is often found in Active Directory-integrated DNS deployments or Kerberos-secured DNS environments. An attacker can exploit this vulnerability by sending specially crafted packets, causing the BIND server to consume excessive memory resources, potentially leading to denial of service. The affected versions include BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. Defenders should monitor DNS server memory usage and implement rate limiting or packet filtering to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a BIND server configured to use TKEY-based authentication with GSS-API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS packet specifically designed to exploit the memory consumption vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packet to the vulnerable BIND server.\u003c/li\u003e\n\u003cli\u003eThe BIND server receives the packet and attempts to process the TKEY authentication.\u003c/li\u003e\n\u003cli\u003eDue to the malicious structure of the packet, the server allocates an excessive amount of memory during the authentication process.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 3-5, sending multiple crafted packets to continually exhaust server memory.\u003c/li\u003e\n\u003cli\u003eThe BIND server\u0026rsquo;s memory consumption increases significantly, impacting performance and stability.\u003c/li\u003e\n\u003cli\u003eThe BIND server eventually crashes due to memory exhaustion, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3039 leads to excessive memory consumption on the affected BIND server, potentially resulting in a denial-of-service condition. This can disrupt DNS resolution services for the affected domain or network, impacting users\u0026rsquo; ability to access websites and online services. The vulnerability poses a significant risk to organizations relying on Active Directory-integrated DNS or Kerberos-secured DNS environments, potentially causing widespread service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BIND 9 to a patched version beyond 9.16.50, 9.18.48, 9.20.22, or 9.21.21 to remediate CVE-2026-3039.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on DNS traffic to mitigate the impact of malicious packets, protecting against memory exhaustion.\u003c/li\u003e\n\u003cli\u003eMonitor DNS server memory usage for unexpected spikes using system monitoring tools.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Excessive DNS Server Memory Allocation\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview DNS server configurations to minimize the use of TKEY-based authentication where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:22:34Z","date_published":"2026-05-20T13:22:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3039-bind-memory-consumption/","summary":"BIND servers configured for TKEY-based authentication using GSS-API tokens are susceptible to excessive memory consumption upon receiving and processing crafted packets, impacting availability.","title":"CVE-2026-3039: BIND TKEY Authentication Memory Consumption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3039-bind-memory-consumption/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5947"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIND 9 (9.20.0 - 9.20.22)","BIND 9 (9.21.0 - 9.21.21)","BIND 9 (9.20.9-S1 - 9.20.22-S1)"],"_cs_severities":["high"],"_cs_tags":["cve","dns","use-after-free","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["ISC"],"content_html":"\u003cp\u003eA use-after-free vulnerability, tracked as CVE-2026-5947, exists in ISC BIND. Specifically, when BIND receives an incoming DNS message signed with SIG(0), it validates that signature. If the number of \u0026ldquo;recursive-clients\u0026rdquo; reaches the configured limit during this validation process due to a query flood, the DNS message may be discarded. However, a small window of time exists where the SIG(0) validation process might still attempt to read the now-discarded DNS message, leading to a use-after-free condition and undefined behavior. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a DNS query flood to a BIND server to exhaust the \u003ccode\u003erecursive-clients\u003c/code\u003e limit.\u003c/li\u003e\n\u003cli\u003eSimultaneously, the attacker sends a crafted DNS message signed with SIG(0).\u003c/li\u003e\n\u003cli\u003eThe BIND server receives the crafted DNS message and begins SIG(0) signature validation.\u003c/li\u003e\n\u003cli\u003eWhile the signature validation is in progress, the \u003ccode\u003erecursive-clients\u003c/code\u003e limit is reached due to the query flood.\u003c/li\u003e\n\u003cli\u003eThe BIND server discards the DNS message to enforce the \u003ccode\u003erecursive-clients\u003c/code\u003e limit.\u003c/li\u003e\n\u003cli\u003eThe SIG(0) validation routine attempts to read the discarded DNS message.\u003c/li\u003e\n\u003cli\u003eA use-after-free vulnerability is triggered because the memory associated with the DNS message has been freed.\u003c/li\u003e\n\u003cli\u003eThis can lead to undefined behavior, potentially causing the BIND server to crash or, in more severe cases, allow for remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5947 can cause a denial-of-service (DoS) condition on the affected BIND server, disrupting DNS resolution services. In a worst-case scenario, it could lead to remote code execution, potentially allowing an attacker to gain control of the server. Given the critical role of DNS servers in network infrastructure, this vulnerability poses a significant risk. While no specific victim counts are available, the widespread use of BIND makes many organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of BIND 9 to address CVE-2026-5947. Versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are not affected.\u003c/li\u003e\n\u003cli\u003eMonitor DNS server logs for errors related to SIG(0) validation, which may indicate exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect SIG(0) validation failure\u003c/code\u003e to detect these events.\u003c/li\u003e\n\u003cli\u003eRate limit incoming DNS queries to prevent query floods and reduce the likelihood of triggering the \u003ccode\u003erecursive-clients\u003c/code\u003e limit and the race condition.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:20:01Z","date_published":"2026-05-20T13:20:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-isc-bind-uaf/","summary":"A race condition in ISC BIND can lead to a use-after-free vulnerability (CVE-2026-5947) when handling SIG(0) signed DNS messages, potentially leading to undefined behavior.","title":"ISC BIND Use-After-Free Vulnerability Due to Race Condition (CVE-2026-5947)","url":"https://feed.craftedsignal.io/briefs/2026-05-isc-bind-uaf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5946"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIND 9"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","dns","bind9","CVE-2026-5946"],"_cs_type":"advisory","_cs_vendors":["ISC"],"content_html":"\u003cp\u003eCVE-2026-5946 identifies multiple vulnerabilities within the \u003ccode\u003enamed\u003c/code\u003e component of BIND 9, arising from improper handling of DNS messages employing a CLASS other than Internet (\u003ccode\u003eIN\u003c/code\u003e), such as \u003ccode\u003eCHAOS\u003c/code\u003e or \u003ccode\u003eHESIOD\u003c/code\u003e, or DNS messages with meta-classes (\u003ccode\u003eANY\u003c/code\u003e or \u003ccode\u003eNONE\u003c/code\u003e) in the question section. An attacker can trigger these flaws by sending specially crafted DNS requests to a vulnerable BIND 9 server. The affected code paths include recursion, dynamic updates (\u003ccode\u003eUPDATE\u003c/code\u003e), zone change notifications (\u003ccode\u003eNOTIFY\u003c/code\u003e), and processing of \u003ccode\u003eIN\u003c/code\u003e-specific record types within non-\u003ccode\u003eIN\u003c/code\u003e data. Successful exploitation can lead to assertion failures in \u003ccode\u003enamed\u003c/code\u003e, potentially causing a denial-of-service condition. The vulnerability impacts BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BIND 9 server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS request. This request leverages a DNS CLASS other than \u003ccode\u003eIN\u003c/code\u003e, such as \u003ccode\u003eCHAOS\u003c/code\u003e, or includes meta-classes such as \u003ccode\u003eANY\u003c/code\u003e or \u003ccode\u003eNONE\u003c/code\u003e in the question section.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DNS request to the target BIND 9 server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enamed\u003c/code\u003e process receives and parses the malicious DNS request.\u003c/li\u003e\n\u003cli\u003eDue to the unexpected CLASS or meta-class, the \u003ccode\u003enamed\u003c/code\u003e process enters a vulnerable code path during recursion, dynamic updates, zone change notifications, or processing of \u003ccode\u003eIN\u003c/code\u003e-specific record types in non-\u003ccode\u003eIN\u003c/code\u003e data.\u003c/li\u003e\n\u003cli\u003eWithin the vulnerable code path, the \u003ccode\u003enamed\u003c/code\u003e process attempts an invalid operation based on the malicious request.\u003c/li\u003e\n\u003cli\u003eThis invalid operation triggers an assertion failure within the \u003ccode\u003enamed\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe assertion failure may cause the \u003ccode\u003enamed\u003c/code\u003e process to terminate or become unstable, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5946 leads to assertion failures within the \u003ccode\u003enamed\u003c/code\u003e process, causing potential instability or termination of the service. This results in a denial-of-service condition, disrupting DNS resolution services for affected networks and users. The severity of the impact depends on the role of the affected BIND 9 server; critical infrastructure DNS servers experiencing this issue can cause widespread outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BIND 9 to a patched version (\u0026gt;= 9.16.51, \u0026gt;= 9.18.49, \u0026gt;= 9.20.23, \u0026gt;= 9.21.22) to remediate CVE-2026-5946.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DNS queries with non-IN class\u0026rdquo; to identify potentially malicious DNS requests targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor DNS server logs for assertion failures in the \u003ccode\u003enamed\u003c/code\u003e process, which may indicate exploitation attempts related to CVE-2026-5946.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting and request filtering to mitigate the impact of malicious DNS requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:19:46Z","date_published":"2026-05-20T13:19:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-5946-bind9-assertion-failure/","summary":"Multiple flaws in BIND 9's `named` component, specifically versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1, can be exploited by sending specially crafted DNS requests with non-`IN` CLASS or meta-classes, leading to assertion failures and potential denial-of-service.","title":"CVE-2026-5946: BIND 9 `named` Assertion Failure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-5946-bind9-assertion-failure/"}],"language":"en","title":"CraftedSignal Threat Feed — ISC","version":"https://jsonfeed.org/version/1.1"}