Vulnerability-Lookup

RHSA-2026:7412

Vulnerability from csaf_redhat - Published: 2026-04-10 18:39 - Updated: 2026-05-22 02:11

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: bind: * bind-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-chroot-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-devel-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-dnssec-utils-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-doc-9.18.48-1.1.hum1 (noarch) * bind-libs-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-utils-9.18.48-1.1.hum1 (aarch64, x86_64) * bind-9.18.48-1.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-3593

A flaw was found in the BIND (Berkeley Internet Name Domain) DNS-over-HTTPS implementation. A remote attacker could send specially crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint, leading to a use-after-free vulnerability. This could trigger memory corruption, potentially allowing the attacker to cause a denial of service or, in some cases, execute arbitrary code.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE-825 - Expired Pointer Dereference

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:bind-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-5947

A flaw was found in BIND. A remote attacker could exploit a race condition during SIG(0) signature validation of an incoming DNS message. If the "recursive-clients" limit is reached and the message is discarded, a use-after-free vulnerability may occur. This could lead to undefined behavior and potentially result in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:bind-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:bind-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

14 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:7412	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-3593	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-5947	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-3593	self
https://bugzilla.redhat.com/show_bug.cgi?id=2479770	external
https://www.cve.org/CVERecord?id=CVE-2026-3593	external
https://nvd.nist.gov/vuln/detail/CVE-2026-3593	external
https://access.redhat.com/security/cve/CVE-2026-5947	self
https://bugzilla.redhat.com/show_bug.cgi?id=2479772	external
https://www.cve.org/CVERecord?id=CVE-2026-5947	external
https://nvd.nist.gov/vuln/detail/CVE-2026-5947	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nbind:\n  * bind-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-chroot-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-devel-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-dnssec-utils-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-doc-9.18.48-1.1.hum1 (noarch)\n  * bind-libs-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-utils-9.18.48-1.1.hum1 (aarch64, x86_64)\n  * bind-9.18.48-1.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:7412",
        "url": "https://access.redhat.com/errata/RHSA-2026:7412"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-3593",
        "url": "https://access.redhat.com/security/cve/CVE-2026-3593"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-5947",
        "url": "https://access.redhat.com/security/cve/CVE-2026-5947"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7412.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-05-22T02:11:20+00:00",
      "generator": {
        "date": "2026-05-22T02:11:20+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:7412",
      "initial_release_date": "2026-04-10T18:39:00+00:00",
      "revision_history": [
        {
          "date": "2026-04-10T18:39:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-21T14:21:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-22T02:11:20+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@aarch64",
                "product": {
                  "name": "bind-main@aarch64",
                  "product_id": "bind-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@src",
                "product": {
                  "name": "bind-main@src",
                  "product_id": "bind-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@x86_64",
                "product": {
                  "name": "bind-main@x86_64",
                  "product_id": "bind-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@noarch",
                "product": {
                  "name": "bind-main@noarch",
                  "product_id": "bind-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind-doc@9.18.48-1.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@aarch64"
        },
        "product_reference": "bind-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@noarch"
        },
        "product_reference": "bind-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@src"
        },
        "product_reference": "bind-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@x86_64"
        },
        "product_reference": "bind-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3593",
      "cwe": {
        "id": "CWE-825",
        "name": "Expired Pointer Dereference"
      },
      "discovery_date": "2026-05-19T09:55:25.800000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2479770"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the BIND (Berkeley Internet Name Domain) DNS-over-HTTPS implementation. A remote attacker could send specially crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint, leading to a use-after-free vulnerability. This could trigger memory corruption, potentially allowing the attacker to cause a denial of service or, in some cases, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Important: A heap use-after-free vulnerability in BIND\u0027s DNS-over-HTTPS implementation allows a remote attacker to trigger memory corruption by sending crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint. This affects both authoritative servers and resolvers configured to use DNS-over-HTTPS, potentially leading to denial of service or other impacts.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3593"
        },
        {
          "category": "external",
          "summary": "RHBZ#2479770",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479770"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3593",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3593"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3593",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3593"
        }
      ],
      "release_date": "2026-05-21T11:59:02.348000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-10T18:39:00+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7412"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation"
    },
    {
      "cve": "CVE-2026-5947",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2026-05-19T09:59:51.277000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2479772"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in BIND. A remote attacker could exploit a race condition during SIG(0) signature validation of an incoming DNS message. If the \"recursive-clients\" limit is reached and the message is discarded, a use-after-free vulnerability may occur. This could lead to undefined behavior and potentially result in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: SIG(0) validation during query flood may lead to undefined behavior",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Important: A race condition in BIND\u0027s SIG(0) validation process can lead to undefined behavior and a denial of service when the server is under a query flood and processing signed DNS messages. This flaw could disrupt critical DNS resolution services in Red Hat environments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-5947"
        },
        {
          "category": "external",
          "summary": "RHBZ#2479772",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479772"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-5947",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5947"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5947",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5947"
        }
      ],
      "release_date": "2026-05-21T12:15:50.513000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-10T18:39:00+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7412"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: SIG(0) validation during query flood may lead to undefined behavior"
    }
  ]
}

CVE-2026-3593 (GCVE-0-2026-3593)

Vulnerability from cvelistv5 – Published: 2026-05-20 13:09 – Updated: 2026-05-20 13:40

Title

Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation

Summary

A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-416 - Use After Free

Assigner

isc

References

3 references

URL	Tags
https://kb.isc.org/docs/cve-2026-3593	vendor-advisory
https://downloads.isc.org/isc/bind9/9.20.23	patch
https://downloads.isc.org/isc/bind9/9.21.22	patch

Impacted products

1 product

Vendor	Product	Version
ISC	BIND 9	Affected: 9.20.0 , ≤ 9.20.22 (custom) Affected: 9.21.0 , ≤ 9.21.21 (custom) Affected: 9.20.9-S1 , ≤ 9.20.22-S1 (custom) Unaffected: 9.18.0 , ≤ 9.18.48 (custom) Unaffected: 9.18.11-S1 , ≤ 9.18.48-S1 (custom)

Date Public ?

2026-05-20 00:00

Credits

ISC would like to thank Naresh Kandula Parmar (Nottiboy) for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:40:34.896109Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:40:45.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.20.22",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.21",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.22-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.48",
              "status": "unaffected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.48-S1",
              "status": "unaffected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.22",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.21",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.22-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.48",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.48-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": false
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Naresh Kandula Parmar (Nottiboy) for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.\nBIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Crafted HTTP/2 traffic sent to a DNS-over-HTTPS endpoint can be used to trigger memory corruption."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T13:09:47.178Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-3593",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-3593"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.23"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.22"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Configurations not using DNS-over-HTTPS should not be affected.  Disabling DNS-over-HTTPS is likewise an effective workaround."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-3593",
    "datePublished": "2026-05-20T13:09:47.178Z",
    "dateReserved": "2026-03-05T12:57:16.981Z",
    "dateUpdated": "2026-05-20T13:40:45.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5947 (GCVE-0-2026-5947)

Vulnerability from cvelistv5 – Published: 2026-05-20 13:10 – Updated: 2026-05-20 13:39

Title

SIG(0) validation during query flood may lead to undefined behavior

Summary

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-416 - Use After Free

Assigner

isc

References

3 references

URL	Tags
https://kb.isc.org/docs/cve-2026-5947	vendor-advisory
https://downloads.isc.org/isc/bind9/9.20.23	patch
https://downloads.isc.org/isc/bind9/9.21.22	patch

Impacted products

1 product

Vendor	Product	Version
ISC	BIND 9	Affected: 9.20.0 , ≤ 9.20.22 (custom) Affected: 9.21.0 , ≤ 9.21.21 (custom) Affected: 9.20.9-S1 , ≤ 9.20.22-S1 (custom) Unaffected: 9.18.28 , ≤ 9.18.49 (custom) Unaffected: 9.18.28-S1 , ≤ 9.18.49-S1 (custom)

Date Public ?

2026-05-20 00:00

Credits

ISC would like to thank Naoki Wakamatsu for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5947",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:39:15.454199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:39:38.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.20.22",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.21",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.22-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.49",
              "status": "unaffected",
              "version": "9.18.28",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.49-S1",
              "status": "unaffected",
              "version": "9.18.28-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.22",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.21",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.22-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.49",
                  "versionStartIncluding": "9.18.28",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.49-S1",
                  "versionStartIncluding": "9.18.28-S1",
                  "vulnerable": false
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Naoki Wakamatsu for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Undefined behavior may result due to a race condition leading to a use-after-free violation.  If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature.  If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.\nBIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "The use of memory after it is freed is undefined (\"dangling pointer\").  The BIND process may abort with a segmentation violation or similar error.  If memory from the discarded message has not been reused or reclaimed, the validation might proceed normally.  Any kind of code execution from such an improper data read is unlikely."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T13:10:11.873Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-5947",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-5947"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.23"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.22"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SIG(0) validation during query flood may lead to undefined behavior",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-5947",
    "datePublished": "2026-05-20T13:10:11.873Z",
    "dateReserved": "2026-04-09T06:40:58.672Z",
    "dateUpdated": "2026-05-20T13:39:38.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:7412

CVE-2026-3593 (GCVE-0-2026-3593)

CVE-2026-5947 (GCVE-0-2026-5947)

Tags

Sightings

Nomenclature