CVE-2026-3039
Analyzed Analyzed - Analysis Complete

Memory Exhaustion in BIND via TKEY Authentication

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Internet Systems Consortium (ISC)

Description
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-30
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-28
NVD
CVE-2026-3039
EUVD
EUVD-2026-31103

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
isc bind From 9.20.0 (inc) to 9.20.23 (exc)
isc bind From 9.21.0 (inc) to 9.21.22 (exc)
isc bind From 9.18.0 (inc) to 9.18.49 (exc)
isc bind From 9.0.0 (inc) to 9.16.50 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-771 The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-3039 is a high-severity vulnerability affecting BIND 9 DNS servers that use TKEY-based authentication via GSS-API tokens. It allows remote attackers to send specially crafted packets that cause the server to consume excessive memory.

This excessive memory consumption can lead to the server failing or crashing, resulting in a denial of service condition.

The vulnerability impacts multiple BIND 9 versions, including 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21, as well as their supported preview editions.

Impact Analysis

This vulnerability can cause a denial of service on affected BIND 9 DNS servers by exhausting their memory resources.

When an attacker sends maliciously crafted packets, the server may allocate excessive memory and eventually fail or crash, disrupting DNS services.

Such disruption can affect network availability and reliability, especially in environments using Active Directory integrated DNS or Kerberos-secured DNS.

Detection Guidance

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade BIND 9 to the patched versions: 9.18.49, 9.20.23, 9.21.22, or their corresponding preview edition updates.

No workarounds are known, and no fixes are available for end-of-life versions, so upgrading is the only effective mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3039. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart