BIND's Memory-Safety Week: CVE-2026-3593, CVE-2026-3039, and CVE-2026-5946 in One Disclosure Round

1. DNS is the substrate every security control depends on

The Domain Name System is the single piece of infrastructure that every other infrastructure component trusts. Authentication systems trust DNS to point them at the right identity provider. Mail flow trusts DNS to verify SPF and DMARC records. Certificate issuance trusts DNS for the HTTP-01 and DNS-01 ACME challenges. API clients trust DNS to find their backends. A compromise of the DNS layer is a compromise of everything above it.

BIND, the ISC reference implementation, runs a significant fraction of recursive resolvers and authoritative servers worldwide. When ISC publishes an advisory round, the security community pays attention because the blast radius is whatever the customer's DNS posture exposes. The advisory round published this week covers three high-severity CVEs: CVE-2026-3593 (use-after-free in DNS-over-HTTPS), CVE-2026-3039 (TKEY authentication flaw), and CVE-2026-5946 (race condition in named handling of an undefined case). The three CVEs landed inside the same advisory; the remediation path is a single BIND update, but the projection space is large enough that we walked the engagement teams through the affected install base individually.

2. CVE-2026-3593, use-after-free in DNS-over-HTTPS

DNS-over-HTTPS (DoH) is the HTTPS-encapsulated DNS query path that BIND has supported as a recursive front-end since the 9.18 release line. The vulnerable code path in BIND's DoH implementation handles connection-shutdown sequences. The bug is a textbook use-after-free (CWE-416): a DoH connection's per-stream state structure can be freed while another part of the codebase still holds a reference, and a subsequent dereference of the freed pointer accesses memory whose contents are no longer what the holder expected.

The attacker primitive is a sequence of DoH connection-establish and connection-tear-down operations against the named DoH listener. The blast radius depends on the BIND build's memory-allocator behaviour. On builds using BIND's default jemalloc-style allocator, the freed slab is sometimes reused for a different allocation before the dangling reference dereferences it, producing data-corruption symptoms in unrelated request paths. On builds using a debugging allocator that poisons freed memory, the dangling dereference produces an immediate crash. On systems with ASLR and modern allocator hardening, weaponising the use-after-free for code execution is non-trivial but not impossible.

The realistic exploitation path is denial of service. An attacker who can reach the DoH listener can repeatedly trigger the use-after-free and force BIND into a crash-restart loop, taking the recursive resolver out of service for the duration of the attack. For customers running BIND as their primary recursive resolver, the consequence is application-layer DNS failure across their entire estate.

The fix is in BIND 9.20.9 (and corresponding backports to 9.18.x). The patch adds reference-counting on the per-stream state structure and defers the free until the last reference is released. The patch is mechanical and ships with regression tests covering the established connection-teardown sequences.

3. CVE-2026-3039, TKEY authentication

TKEY is the DNS mechanism for negotiating cryptographic key material used by TSIG (transaction signature) authentication. The vulnerable code path is in the TKEY-based authentication negotiation, where BIND mishandles a specific message shape during the key-exchange flow.

The advisory describes the bug in terms of authentication bypass. An attacker who can reach the BIND server on its DNS port can craft a TKEY exchange that causes the server to accept a subsequent request as authenticated when the request is not. The downstream consequence depends on what TKEY-authenticated requests are allowed to do on the affected server. For authoritative servers using TKEY-authenticated dynamic updates, the attacker can modify zone data. For recursive servers using TKEY-authenticated control-plane operations, the attacker can issue privileged control operations against the running server.

The exploitation primitive is one or two crafted TKEY packets. The attack does not require an existing key material, it bypasses the key check entirely.

The fix is in the same BIND 9.20.9 release. The patch reorders the validation steps in the TKEY handler so the cryptographic check happens before the authentication state is committed.

4. CVE-2026-5946, undefined-behaviour race condition

The third CVE is a race condition (CWE-362) in named triggered by an edge case in the handling of a particular query shape. The advisory describes the behaviour as undefined and the consequence as named entering an inconsistent internal state that can produce assertion failures, malformed responses, or, at the worst end of the spectrum, a crash.

The exploitation primitive is a sustained query stream that includes the triggering shape at a controlled rate. The race window is small but reliably winnable across a multi-second attack window. The consequence is operational availability impact on the affected resolver.

The fix in 9.20.9 adds explicit handling for the previously-undefined case and serialises access to the shared state during the affected processing path.

5. The combined projection

Our Version Vulnerability Projector ran against the customer install base inside the standard nightly cycle. The projection identified affected BIND instances across:

The fast-tracked subset (assets where BIND is reachable from outside the customer's trust boundary on the DoH listener, the DNS port for TKEY exchanges, or both) was about 340 instances across the customer base. The Test Capsules for the three CVEs went out overnight and the affected customers had findings in their dashboards by the morning.

6. The test capsule shape

Each of the three CVEs ships its own capsule. The capsules share a common structure: a version-fingerprint probe (cheap, deterministic) and a behaviour-reproduction probe (more expensive, gated on the version probe).

The DoH UAF capsule's version probe queries the BIND server's version.bind CHAOS-class TXT record where the server is configured to respond to it, and falls back to TLS-layer fingerprinting otherwise. The behaviour probe opens a DoH connection, performs a benign query, and observes the connection-teardown sequence for the timing signature characteristic of the bug. The probe does not attempt to actually crash the server.

The TKEY capsule's behaviour probe sends a malformed TKEY exchange and observes whether the server commits the authentication state before the cryptographic check completes. The decision rule is the relative ordering of two specific log markers that the BIND patch documents; on a patched server the markers appear in one order, on an unpatched server they appear in the reverse order.

The undefined-race capsule's behaviour probe issues the triggering query shape at a controlled rate and watches for assertion-failure response patterns in the server's responses. The probe rate is bounded, the capsule does not attempt sustained DoS against any customer asset.

All three capsules include benign-demonstration variants that customers can request against staging environments for stakeholder demonstrations.

7. The remediation path

The fix is one BIND upgrade. The packaging and rollout work is what takes the engineering time.

The recommended sequence:

  1. Upgrade authoritative servers first. Authoritative DNS failure is a slow-decay outage: clients keep their cached responses for the cached TTL, so even if the authoritative goes offline briefly during the upgrade, the operational impact is bounded.
  2. Upgrade recursive resolvers in serial, with health-check gating. A recursive resolver outage produces immediate application-layer failure across every client that uses it. Roll the upgrade through one resolver at a time, validate the resolver is answering correctly before proceeding to the next, and keep the upgrade window aligned with the customer's lowest-traffic period.
  3. Push vendors for embedded BIND updates. Appliance vendors and endpoint defender vendors who ship a vendored BIND owe customers an updated build. Interim mitigation is to isolate the affected listener to a trusted network.
  4. Audit any BIND build linked against an OS package older than the patched version. Distro security trackers will have updated packages within 24-72 hours; until then, build BIND from the upstream tarball.

The pattern repeats every BIND advisory round and the pattern is worth automating. We are happy to walk customers through the upgrade sequencing during normal account-management touchpoints.

8. The structural takeaway

DNS infrastructure is critical infrastructure. The same engineering discipline that customers apply to their public web tier (version pinning, change management, rollback rehearsal, dependency-graph audits) needs to apply to the DNS tier. Three high-severity CVEs in a single advisory round is not unusual for BIND; the codebase is large, complex, and exposed to adversarial input. The customers who handle this advisory round well will be the ones whose patch pipeline already has BIND as a tracked component, whose DNS topology is documented enough that the upgrade sequencing is a known runbook, and whose continuous scanning catches the version drift the next time it happens.

The customers who do not have those in place will catch up over the next week. They will probably want help.

Verifiable security.