ZeroPath at Black Hat USA 2026

Brief Summary: BIND 9 CVE-2026-3039 Memory Exhaustion via GSS-API TKEY Negotiation

A short review of CVE-2026-3039, a high severity memory exhaustion vulnerability in BIND 9 affecting servers configured with GSS-API TKEY authentication, commonly found in Active Directory and Kerberos DNS environments.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Brief Summary: BIND 9 CVE-2026-3039 Memory Exhaustion via GSS-API TKEY Negotiation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Enterprise DNS infrastructure built on BIND 9 with Active Directory or Kerberos integration is exposed to a remote, unauthenticated denial of service attack that silently exhausts server memory until name resolution fails entirely. CVE-2026-3039, disclosed by the Internet Systems Consortium on May 20, 2026, carries a CVSS score of 7.5 and affects a wide range of BIND 9 versions, with no workaround available.

Technical Information

Root Cause: A Leaked Security Context Outside BIND's Memory Accounting

The vulnerability is classified under CWE-771 (Missing Reference to Active Allocated Resource). The core issue lies in how BIND 9 handles GSS-API TKEY negotiation. During this process, the server creates a security context inside the GSS library. When processing maliciously constructed packets, this security context is leaked. Critically, because the memory is allocated directly by the GSS library and not through BIND's own memory allocator, the leak is invisible to BIND's internal memory accounting mechanisms. BIND has no visibility into how much memory the GSS library has consumed, and therefore cannot enforce any limits or trigger cleanup.

In earlier versions, BIND attempted to support multi round GSS-API negotiation. This design decision contributed to improper state handling that enables the leak. The Kerberos and SPNEGO protocols, which are the relevant GSS-API mechanisms in these environments, actually complete authentication in a single round, making multi round support unnecessary and, as it turns out, dangerous.

Attack Flow

The attack is straightforward:

  1. The attacker identifies a BIND 9 server configured with GSS-API TKEY authentication. These servers are typically found in Active Directory integrated DNS deployments or Kerberos secured DNS environments.
  2. The attacker sends repeated, maliciously crafted TKEY queries to the target server over the network. No authentication or special privileges are required.
  3. Each malicious TKEY query triggers the allocation of a GSS-API security context that is never properly freed.
  4. Because the leaked memory resides in the GSS library's address space and bypasses BIND's memory accounting, the server has no mechanism to detect or limit the growing consumption.
  5. Over time, available system memory is exhausted, and the BIND process fails, resulting in a complete denial of service for DNS resolution.

The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms the attack is network accessible, low complexity, requires no privileges or user interaction, and impacts availability to a high degree with no effect on confidentiality or integrity.

How the Fix Works

The patched releases address the vulnerability through two key changes:

  1. Rejection of multi round GSS-API negotiation. The server now refuses to engage in multi round exchanges, since Kerberos and SPNEGO complete in a single round. This eliminates the improper state handling that allowed the context leak.
  2. Enforcement of RFC 3645 requirements. The fix implements a previously missing check: the client must verify that mutual authentication and integrity flags are granted by the GSS-API mechanism. This brings the implementation into compliance with the protocol specification and closes the attack surface.

Affected Systems and Versions

The vulnerability affects BIND 9 servers that are configured to use TKEY based authentication via GSS-API tokens. The following version ranges are vulnerable:

BranchVulnerable Versions
BIND 9 mainline (early)9.0.0 through 9.16.50
BIND 9.18.x9.18.0 through 9.18.48
BIND 9.20.x9.20.0 through 9.20.22
BIND 9.21.x9.21.0 through 9.21.21
Supported Preview Edition (9.16)9.9.3-S1 through 9.16.50-S1
Supported Preview Edition (9.18)9.18.11-S1 through 9.18.48-S1
Supported Preview Edition (9.20)9.20.9-S1 through 9.20.22-S1

Patched releases:

BranchFixed Version
9.18.x9.18.49 (and 9.18.49-S1 for Preview Edition)
9.20.x9.20.23 (and 9.20.23-S1 for Preview Edition)
9.21.x9.21.22

Servers that do not use GSS-API TKEY authentication are not affected. The vulnerable configuration is most commonly found in Active Directory integrated DNS and Kerberos secured DNS environments.

Vendor Security History

ISC maintains a well established track record of transparent and professional vulnerability disclosure. For CVE-2026-3039, ISC provided early notification to stakeholders on May 13, 2026, a full week before the public disclosure and patch release on May 20, 2026. Their advisories consistently include CVSS scoring, detailed impact analysis, affected version matrices, and direct upgrade paths. Given BIND 9's position as the most widely deployed open source DNS implementation, used by financial institutions, carriers, ISPs, universities, and government agencies worldwide, ISC's disciplined approach to security communications is essential to the broader internet ecosystem.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization