cbcvebase.
CVE-2026-3593
published 2026-05-20

CVE-2026-3593: A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.84%
76.4th percentile
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

Affected

8 ranges
VendorProductVersion rangeFixed in
iscbind
iscbind>= 9.20.0 < 9.20.239.20.23
iscbind>= 9.21.0 < 9.21.229.21.22
iscbind_99.20.0 – 9.20.22
iscbind_99.20.9-S1 – 9.20.22-S1
iscbind_99.21.0 – 9.21.21
iscdhcp
ubuntubind9

Detection & IOCsextracted from sources · hover to see the quote

  • Target DNS-over-HTTPS (DoH) endpoints running BIND 9 versions 9.20.0–9.20.22, 9.21.0–9.21.21, or 9.20.9-S1–9.20.22-S1; monitor for crafted HTTP/2 traffic triggering memory corruption (use-after-free) on these endpoints
  • Alert on anomalous or malformed HTTP/2 request patterns directed at DoH listener ports on BIND 9 instances; memory corruption symptoms (crashes, unexpected restarts of named) may indicate exploitation attempts
  • ·BIND 9 versions 9.18.0–9.18.48 and 9.18.11-S1–9.18.48-S1 are explicitly NOT affected; scope detection and patching efforts only to the vulnerable version ranges (9.20.0–9.20.22, 9.21.0–9.21.21, 9.20.9-S1–9.20.22-S1)
  • ·No vendor-provided mitigation is available; the only remediation path is patching — do not rely on configuration-level workarounds
  • ·The vulnerability is exploitable remotely with no authentication required; any BIND instance with a publicly reachable DoH endpoint should be treated as high-priority for patching

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.