A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.

An update of the bindutils package has been released.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-dbb0776ac5 advisory.

    #  Update to 9.21.22 (rhbz#2480122)

    ## Security Fixes:

    - Limit resolver server list size. (CVE-2026-3592)
    - Fix GSS-API resource leak. (CVE-2026-3039)
    - Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
    - Avoid unbounded recursion loop. (CVE-2026-5950)
    - Fix crash in resolver when SIG(0)-signed responses are received under load. (CVE-2026-5947)
    - Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. (CVE-2026-3593)
    - Fix outgoing zone transfers' quota issue.

    ## Feature Changes:

    - Fix CPU spikes and slow queries when cache approaches memory limit.
    - Implement RFC 3645 Section 4.1.1 key expiry check in TKEY.
    - Reduce memory footprint by actively returning unused memory to the OS.

    multiple bugfixes.

    Source: https://downloads.isc.org/isc/bind9/9.21.22/doc/arm/html/notes.html#notes-for-bind-9-21-22


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-ec095a4675 advisory.

    #  Update to 9.21.22 (rhbz#2480122)

    ## Security Fixes:

    - Limit resolver server list size. (CVE-2026-3592)
    - Fix GSS-API resource leak. (CVE-2026-3039)
    - Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
    - Avoid unbounded recursion loop. (CVE-2026-5950)
    - Fix crash in resolver when SIG(0)-signed responses are received under load. (CVE-2026-5947)
    - Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. (CVE-2026-3593)
    - Fix outgoing zone transfers' quota issue.

    ## Feature Changes:

    - Fix CPU spikes and slow queries when cache approaches memory limit.
    - Implement RFC 3645 Section 4.1.1 key expiry check in TKEY.
    - Reduce memory footprint by actively returning unused memory to the OS.

    multiple bugfixes.

    Source: https://downloads.isc.org/isc/bind9/9.21.22/doc/arm/html/notes.html#notes-for-bind-9-21-22



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8293-1 advisory.

    Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote     attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of     service. (CVE-2026-3039)

    Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue records. A remote attacker could     possibly use this issue to use Bind in denial of service amplification attacks against other systems.
    (CVE-2026-3592)

    Naresh Kandula Parmar discovered that Bind incorrectly handled memory in the DNS-over-HTTPS     implementation. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a     denial of service, or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
    (CVE-2026-3593)

    It was discovered that Bind incorrectly handled DNS messages whose class was not IN. A remote attacker     could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2026-5946)

    Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation during a query flood. A remote     attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This     issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947)

    Billy Baraja discovered that Bind had an unbounded resend loop in the resolver. A remote attacker could     possibly use this issue to cause Bind to use excessive resources, leading to a denial of service.
    (CVE-2026-5950)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6285 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6285-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 20, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-3039 CVE-2026-3592 CVE-2026-5946                      CVE-2026-5950 CVE-2026-5947 CVE-2026-3593

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1:9.18.49-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.23-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-3593 advisory.

  - A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9     versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions     9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected. (CVE-2026-3593)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
321199	Photon OS 5.0: Bindutils PHSA-2026-5.0-0876	Nessus	PhotonOS Local Security Checks	critical
321083	Fedora 44 : bind9-next (2026-dbb0776ac5)	Nessus	Fedora Local Security Checks	critical
321079	Fedora 43 : bind9-next (2026-ec095a4675)	Nessus	Fedora Local Security Checks	critical
316496	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Bind vulnerabilities (USN-8293-1)	Nessus	Ubuntu Local Security Checks	critical
315942	Debian dsa-6285 : bind9 - security update	Nessus	Debian Local Security Checks	critical
315660	ISC BIND 9.20.0 < 9.20.23 / 9.20.9-S1 < 9.20.23-S1 / 9.21.0 < 9.21.22 Vulnerability (cve-2026-3593)	Nessus	DNS	critical

Detections

Analytics

CVE-2026-3593

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical