Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-3593: BIND 9 DNS-over-HTTPS can crash or leak memory
CVE-2026-3593
Summary
A security issue in BIND 9's DNS-over-HTTPS feature can cause the software to crash or leak memory, potentially leading to a denial-of-service attack. This affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. To stay secure, update to the latest version of BIND 9 or consider upgrading to a different DNS service.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| isc | bind |
>= 9.20.0, < 9.20.23 >= 9.21.0, < 9.21.22 cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
Original title
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
...
Original description
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
nvd CVSS3.1
7.4
Vulnerability type
CWE-416
Use After Free
Published: 20 May 2026 · Updated: 28 May 2026 · First seen: 20 May 2026