Use-After-Free Vulnerability in BIND 9 by Internet Systems Consortium
CVE-2026-3593

7.4HIGH

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 20 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-3593?

A use-after-free vulnerability has been identified in the DNS-over-HTTPS implementation of BIND 9, affecting several versions. This flaw can lead to various security issues, potentially allowing unauthorized access or manipulation of data. Users of BIND 9 should ensure they are running the latest patched versions to mitigate this concern.

Affected Version(s)

BIND 9 9.20.0 <= 9.20.22

BIND 9 9.21.0 <= 9.21.21

BIND 9 9.20.9-S1 <= 9.20.22-S1

References

https://kb.isc.org/docs/cve-2026-3593

vendor-advisory

https://downloads.isc.org/isc/bind9/9.20.23

patch

https://downloads.isc.org/isc/bind9/9.21.22

patch

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 20, 2026
Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 5, 2026

Credit

ISC would like to thank Naresh Kandula Parmar (Nottiboy) for bringing this vulnerability to our attention.

CVE-2026-3593 Data

JSON

Isc

Badges

What is CVE-2026-3593?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit