Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN523
_____________________________________________________________________

DATE                : 20/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running BIND versions prior to 9.18.49,
                       9.20.23, 9.21.22, 9.18.49-S1, 9.20.23-S1.

=====================================================================
https://kb.isc.org/docs/cve-2026-3039
https://kb.isc.org/docs/cve-2026-3592
https://kb.isc.org/docs/cve-2026-3593
_____________________________________________________________________


CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY
negotiation

CVE: CVE-2026-3039

Title: BIND 9 server memory exhaustion during GSS-API TKEY
negotiation

Document version: 2.0

Posting date: 20 May 2026

Program impacted: BIND 9

Versions affected:

BIND

    9.0.0 -> 9.16.50
    9.18.0 -> 9.18.48
    9.20.0 -> 9.20.22
    9.21.0 -> 9.21.21

BIND Supported Preview Edition

    9.9.3-S1 -> 9.16.50-S1
    9.18.11-S1 -> 9.18.48-S1
    9.20.9-S1 -> 9.20.22-S1

(Versions prior to 9.11.37 were not assessed.)

Although we have not tested them individually, we believe that all EoL
versions of BIND are vulnerable to this weakness.

Severity: High

Exploitable: Remotely

Description:

BIND servers that are configured to use TKEY-based authentication via
GSS-API tokens are vulnerable to excessive memory consumption when
receiving and processing maliciously-constructed packets. Typically
these servers will be found in Active Directory integrated DNS
deployments and/or Kerberos-secured DNS environments.

Impact:

An attacker can construct and send packets to a BIND server that will
cause it to allocate memory that is not subsequently released. Depending
on the volume and frequency of the packets received, named will
eventually fail due to memory exhaustion.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.


Workarounds:

No workarounds known.

Active exploits:

We are not aware of any active exploits.


Solution:

Upgrade to the patched release most closely related to your current
version of BIND 9:

    9.18.49
    9.20.23
    9.21.22

BIND Supported Preview Edition is a special feature preview branch of
BIND provided to eligible ISC support customers.

    9.18.49-S1
    9.20.23-S1


Acknowledgments:

ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention.


Document revision history:

    1.0 Early Notification, 13 May 2026
    1.1 Remove references to keytab (using GSS-API TKEY is sufficient
for exposure), 14 May 2026
    2.0 Public disclosure, 20 May 2026

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing
of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should
be mailed to bind-security@isc.org or posted as confidential GitLab
issues at
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:

ISC patches only currently supported versions. When possible we indicate
EOL versions affected. For current information on which versions are
actively supported, please see https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be found
in the ISC Software Defect and Security Vulnerability Disclosure Policy
at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2026-3039 is the
complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this notice,
including, without limitation, any implied warranty of merchantability,
fitness for a particular purpose, absence of hidden defects, or of
non-infringement. Your use or reliance on this notice or materials
referred to in this notice is at your own risk. ISC may change this
notice at any time. A stand-alone copy or paraphrase of the text of
this document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of date,
or contain factual errors.

_____________________________________________________________________

CVE: CVE-2026-3592

Title: Amplification vulnerabilities via self-pointed glue records

Document version: 2.0

Posting date: 20 May 2026

Program impacted: BIND 9

Versions affected:

BIND

    9.11.0 -> 9.16.50
    9.18.0 -> 9.18.48
    9.20.0 -> 9.20.22
    9.21.0 -> 9.21.21

BIND Supported Preview Edition

    9.11.3-S1 -> 9.16.50-S1
    9.18.11-S1 -> 9.18.48-S1
    9.20.9-S1 -> 9.20.22-S1

Severity: Medium

Exploitable: Remotely

Description:

BIND resolvers are vulnerable to an amplified resource
consumption/exhaustion attack. If a victim resolver makes a query to a
specially crafted zone, the resolver will consume disproportionate
resources.

Impact:

An attacker may be able to cause the resolver to consume
disproportionate amounts of bandwidth in the attempt to resolve
the name. Impairment of TCP may also be seen.
The issue predominately affects recursive resolvers.
Authoritative-only servers containing only trustworthy zones and
names should be unaffected. If an authoritative server can be
induced to look up an attack domain (e.g., if loading a zone
from an untrusted source), it may be possible to trigger the
issue.

    Authoritative services are believed to be unaffected by this
vulnerability but it is important to read:
https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries

    Resolvers are affected by this vulnerability.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1.

Workarounds:

No workarounds known.

Active exploits:

We are not aware of any active exploits.

Solution:

Upgrade to the patched release most closely related to your current
version of BIND 9:

    9.18.49
    9.20.23
    9.21.22

BIND Supported Preview Edition is a special feature preview branch
of BIND provided to eligible ISC support customers.

    9.18.49-S1
    9.20.23-S1

Acknowledgments:

ISC would like to thank Shuhan Zhang from Tsinghua University for
bringing this vulnerability to our attention.

Document revision history:

    1.0 Early Notification, 13 May 2026
    2.0 Public disclosure, 20 May 2026

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing
of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should be mailed to bind-security@isc.org or posted as
confidential GitLab issues at
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected. For current information on which
versions are actively supported, please see
https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability Disclosure
Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2026-3592 is the
complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use or reliance on this notice
or materials referred to in this notice is at your own risk. ISC may
change this notice at any time. A stand-alone copy or paraphrase of
the text of this document that omits the document URL is an
uncontrolled copy. Uncontrolled copies may lack important information,
be out of date, or contain factual errors.

_____________________________________________________________________

CVE: CVE-2026-3593

Title: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS
implementation

Document version: 2.0

Posting date: 20 May 2026

Program impacted: BIND 9

Versions affected:

BIND

    9.20.0 -> 9.20.22
    9.21.0 -> 9.21.21

BIND Supported Preview Edition

    9.20.9-S1 -> 9.20.22-S1

Versions NOT affected:

BIND

    9.18.0 -> 9.18.48

BIND Supported Preview Edition

    9.18.11-S1 -> 9.18.48-S1

(Versions prior to 9.18.0 and 9.18.11-S1 were not assessed.)

Severity: High

Exploitable: Remotely

Description:

A use-after-free vulnerability exists within the DNS-over-HTTPS
implementation.

Impact:

Crafted HTTP/2 traffic sent to a DNS-over-HTTPS endpoint can be used
to trigger memory corruption.

    Authoritative servers are affected by this vulnerability.

    Resolvers are affected by this vulnerability.

CVSS Score: 7.4

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H&version=3.1.

Workarounds:

Configurations not using DNS-over-HTTPS should not be affected.
Disabling DNS-over-HTTPS is likewise an effective workaround.

Active exploits:

We are not aware of any active exploits.

Solution:

Upgrade to the patched release most closely related to your current
version of BIND 9:

    9.20.23
    9.21.22

BIND Supported Preview Edition is a special feature preview branch of
BIND provided to eligible ISC support customers.

    9.20.23-S1

Acknowledgments:

ISC would like to thank Naresh Kandula Parmar (Nottiboy) for bringing
this vulnerability to our attention.

Document revision history:

    1.0 Early Notification, 13 May 2026
    2.0 Public disclosure, 20 May 2026

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing
of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should be mailed to bind-security@isc.org or posted as confidential
GitLab issues at
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected. For current information on which
versions are actively supported, please see
https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can
be found in the ISC Software Defect and Security Vulnerability
Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2026-3593
is the complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is
expressed in this notice and none should be implied. ISC
expressly excludes and disclaims any warranties regarding
this notice or materials referred to in this notice, including,
without limitation, any implied warranty of merchantability,
fitness for a particular purpose, absence of hidden defects,
or of non-infringement. Your use or reliance on this notice
or materials referred to in this notice is at your own risk.
ISC may change this notice at any time. A stand-alone copy
or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies
may lack important information, be out of date, or contain
factual errors.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================