CVE-2026-3039
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion in BIND via TKEY Authentication

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Internet Systems Consortium (ISC)

Description
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-3039
EUVD
EUVD-2026-31103
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
isc bind From 9.0.0 (inc) to 9.16.50 (inc)
isc bind From 9.18.0 (inc) to 9.18.48 (inc)
isc bind From 9.20.0 (inc) to 9.20.22 (inc)
isc bind From 9.21.0 (inc) to 9.21.21 (inc)
isc bind From 9.9.3-S1 (inc) to 9.16.50-S1 (inc)
isc bind From 9.18.11-S1 (inc) to 9.18.48-S1 (inc)
isc bind From 9.20.9-S1 (inc) to 9.20.22-S1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-771 The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-3039 is a high-severity vulnerability affecting BIND 9 DNS servers that use TKEY-based authentication via GSS-API tokens. It allows remote attackers to send specially crafted packets that cause the server to consume excessive memory.

This excessive memory consumption can lead to the server failing or crashing, resulting in a denial of service condition.

The vulnerability impacts multiple BIND 9 versions, including 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21, as well as their supported preview editions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service on affected BIND 9 DNS servers by exhausting their memory resources.

When an attacker sends maliciously crafted packets, the server may allocate excessive memory and eventually fail or crash, disrupting DNS services.

Such disruption can affect network availability and reliability, especially in environments using Active Directory integrated DNS or Kerberos-secured DNS.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate step to mitigate this vulnerability is to upgrade BIND 9 to the patched versions: 9.18.49, 9.20.23, 9.21.22, or their corresponding preview edition updates.

No workarounds are known, and no fixes are available for end-of-life versions, so upgrading is the only effective mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart