External risk intelligence

BIND DNS-over-HTTPS Use-After-Free Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-3593

A use-after-free vulnerability in BIND 9's DNS-over-HTTPS implementation could allow an unauthenticated attacker to crash the service. This affects organizations using vulnerable versions of BIND 9, potentially leading to denial-of-service disruptions and impacting the availability of internet-facing DNS services. The

5Halo Surface Signal

Use After Free

Isc Bind

9.20.0 to before 9.20.239.21.0 to before 9.21.22

External exposure likelihood

Halo Surface Signal score for CVE-2026-3593

BIND is a widely used DNS server software that is frequently deployed as a public-facing service to resolve domain names for internet users. Because the vulnerability exists within its DNS-over-HTTPS implementation—a protocol specifically designed to facilitate encrypted web-based DNS queries—the affected component is inherently exposed to the internet in common deployment patterns.

PCI scan relevance

PCI Relevance for CVE-2026-3593

Yes

CVE-2026-3593 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This use-after-free vulnerability in BIND 9's DNS-over-HTTPS implementation is considered an automatic fail for PCI ASV scans due to the potential for remote code execution and sensitive data disclosure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A use-after-free vulnerability has been identified in the DNS-over-HTTPS implementation of BIND 9. This flaw could allow attackers to potentially compromise systems that rely on this service for domain name resolution. The potential impact could involve unauthorized access to data and disruption of services, affecting organizations that utilize BIND 9 for their DNS infrastructure.

  • Vulnerable DNS-over-HTTPS implementation
  • Use-after-free memory corruption
  • Potential data compromise and service disruption

Attack Path

How an attacker could exploit the issue

A use-after-free vulnerability in the DNS-over-HTTPS implementation could allow an attacker to gain control of affected systems. The vulnerability is present in widely deployed DNS server software. Exploitation could lead to unauthorized access and manipulation of data.

  • Exposed DNS-over-HTTPS implementation.
  • Unauthenticated attacker can trigger vulnerability.
  • Attacker gains system control.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 presents a significant risk. This flaw could allow attackers to disrupt services or potentially gain unauthorized access to systems. Organizations relying on the affected versions of BIND 9 should consider this a high-priority issue.

  • Attackers with no special skill required.
  • No access or conditions required.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 presents a critical risk to organizations. This flaw could allow attackers to execute arbitrary code or cause a denial of service on affected systems. The critical severity score indicates a significant potential for business impact, including disruption of services and compromise of data integrity.

  • Identify all BIND 9 assets.
  • Restrict external DNS-over-HTTPS access.
  • Update BIND, verify, and monitor.

Frequently asked questions

What is the software affected by the CVE-2026-3593 vulnerability and which versions are impacted?

The vulnerability CVE-2026-3593 affects BIND 9 software. Specifically, versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1 are impacted. Versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are not affected by this issue.

What type of weakness does CVE-2026-3593 represent and how does it manifest in BIND 9?

CVE-2026-3593 is a use-after-free vulnerability, categorized under CWE-416. This memory corruption flaw occurs within the DNS-over-HTTPS (DoH) implementation of BIND 9, potentially allowing for the exploitation of corrupted memory.

How can an attacker exploit the use-after-free vulnerability in BIND 9's DNS-over-HTTPS implementation?

An attacker can exploit this vulnerability by triggering the use-after-free flaw in the DNS-over-HTTPS implementation. The vulnerability is exposed externally, and an unauthenticated attacker can trigger it without special access or conditions, potentially leading to system control.

What is the potential impact and relevance of CVE-2026-3593, considering BIND 9's role and the Halo Surface Signal?

BIND 9 is a widely used DNS server, often public-facing for domain name resolution. The vulnerability, existing in its DNS-over-HTTPS component, is inherently exposed. Halo classifies this as 'Very likely' exploitable due to BIND's common deployment as a public service, posing a significant risk of unauthorized access and service disruption.

What steps should be taken to address the BIND 9 DNS-over-HTTPS use-after-free vulnerability?

Organizations should identify all BIND 9 assets, restrict external DNS-over-HTTPS access where possible, and promptly update affected BIND 9 versions to a secure release. Verification of the updates and ongoing monitoring of systems are crucial operational steps to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified