BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6285 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6285-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 20, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-3039 CVE-2026-3592 CVE-2026-5946                      CVE-2026-5950 CVE-2026-5947 CVE-2026-3593

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1:9.18.49-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.23-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Debian Linux - bind9 - None (CVE-2026-3039)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-3039 advisory.

  - Debian Linux - bind9 - None (CVE-2026-3039)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
315942	Debian dsa-6285 : bind9 - security update	Nessus	Debian Local Security Checks	high
315758	Linux Distros Unpatched Vulnerability : CVE-2026-3039	Nessus	Misc.	critical
315693	ISC BIND 9.0.0 < 9.18.49 / 9.9.3-S1 < 9.18.49-S1 / 9.18.0 < 9.18.49 / 9.18.11-S1 < 9.18.49-S1 / 9.20.0 < 9.20.23 / 9.20.9-S1 < 9.20.23-S1 / 9.21.0 < 9.21.22 Vulnerability (cve-2026-3039)	Nessus	DNS	high

Detections

Analytics

CVE-2026-3039

high

Tenable Plugins

high

critical

high