CVE-2026-3039

ISC · BIND

BIND servers using GSS-API TKEY authentication are vulnerable to excessive memory consumption when processing malicious packets, potentially leading to a denial-of-service condition.

Executive summary

A memory exhaustion vulnerability in ISC BIND servers could allow remote attackers to cause a denial-of-service condition by sending maliciously-constructed TKEY packets.

Vulnerability

This is a resource management vulnerability (CWE-771) where BIND fails to properly handle memory allocation during GSS-API TKEY authentication. It is exploitable by unauthenticated remote attackers.

Business impact

Successful exploitation results in a denial-of-service (DoS) state, rendering DNS services unavailable. Given the CVSS score of 7.5, this high-severity flaw poses a significant risk to organizational infrastructure, as DNS downtime interrupts critical network communication and business operations.

Remediation

Immediate Action: Upgrade BIND installations to the vendor-recommended versions: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Proactive Monitoring: Monitor server memory utilization and DNS traffic logs for spikes in TKEY-related packets or unexpected service restarts.

Compensating Controls: If immediate patching is not feasible, consider disabling GSS-API TKEY authentication if it is not strictly required for current operations.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The vulnerability represents a significant risk to DNS availability. Administrators should prioritize upgrading to the patched releases immediately to prevent potential service disruptions.