CVE-2026-3039

HIGH EPSS 42.3%

Published May 20, 20261mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published May 20, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

42.3% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-771

Affected Products 4

Vendor	Product	Version	Range
isc	bind	*	≥9.0.0 – ≤9.16.50
isc	bind	*	≥9.18.0 – <9.18.49
isc	bind	*	≥9.20.0 – <9.20.23
isc	bind	*	≥9.21.0 – <9.21.22

References 4

downloads.isc.org https://downloads.isc.org/isc/bind9/9.18.49

Patch
downloads.isc.org https://downloads.isc.org/isc/bind9/9.20.23

Patch
downloads.isc.org https://downloads.isc.org/isc/bind9/9.21.22

Patch
kb.isc.org https://kb.isc.org/docs/cve-2026-3039

Vendor Advisory

Remediation

downloads.isc.org https://downloads.isc.org/isc/bind9/9.18.49

Patch
downloads.isc.org https://downloads.isc.org/isc/bind9/9.20.23

Patch
downloads.isc.org https://downloads.isc.org/isc/bind9/9.21.22

Patch