CVE-2026-3039
ISC · BIND
BIND servers using GSS-API TKEY authentication are vulnerable to excessive memory consumption when processing malicious packets, potentially leading to a denial-of-service condition.
Executive summary
A memory exhaustion vulnerability in ISC BIND servers could allow remote attackers to cause a denial-of-service condition by sending maliciously-constructed TKEY packets.
Vulnerability
This is a resource management vulnerability (CWE-771) where BIND fails to properly handle memory allocation during GSS-API TKEY authentication. It is exploitable by unauthenticated remote attackers.
Business impact
Successful exploitation results in a denial-of-service (DoS) state, rendering DNS services unavailable. Given the CVSS score of 7.5, this high-severity flaw poses a significant risk to organizational infrastructure, as DNS downtime interrupts critical network communication and business operations.
Remediation
Immediate Action: Upgrade BIND installations to the vendor-recommended versions: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.
Proactive Monitoring: Monitor server memory utilization and DNS traffic logs for spikes in TKEY-related packets or unexpected service restarts.
Compensating Controls: If immediate patching is not feasible, consider disabling GSS-API TKEY authentication if it is not strictly required for current operations.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The vulnerability represents a significant risk to DNS availability. Administrators should prioritize upgrading to the patched releases immediately to prevent potential service disruptions.