On 20 May 2026, Internet Systems Consortium disclosed six vulnerabilities affecting our BIND 9 software:
- CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation https://kb.isc.org/docs/cve-2026-3039 - CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records https://kb.isc.org/docs/cve-2026-3592 - CVE-2026-3593: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation https://kb.isc.org/docs/cve-2026-3593 - CVE-2026-5946: Invalid handling of CLASS != IN https://kb.isc.org/docs/cve-2026-5946 - CVE-2026-5947: SIG(0) validation during query flood may lead to undefined behavior https://kb.isc.org/docs/cve-2026-5947 - CVE-2026-5950: Unbounded resend loop in BIND 9 resolver https://kb.isc.org/docs/cve-2026-5950 New versions of BIND 9 are available: - https://downloads.isc.org/isc/bind9/9.18.49/ - https://downloads.isc.org/isc/bind9/9.20.23/ - https://downloads.isc.org/isc/bind9/9.21.22/ For more information and other release formats, consult the ISC software download page: https://www.isc.org/download/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Best regards, Michał Kępień
