Introduction
Enterprise DNS infrastructure built on BIND 9 with Active Directory or Kerberos integration is exposed to a remote, unauthenticated denial of service attack that silently exhausts server memory until name resolution fails entirely. CVE-2026-3039, disclosed by the Internet Systems Consortium on May 20, 2026, carries a CVSS score of 7.5 and affects a wide range of BIND 9 versions, with no workaround available.
Technical Information
Root Cause: A Leaked Security Context Outside BIND's Memory Accounting
The vulnerability is classified under CWE-771 (Missing Reference to Active Allocated Resource). The core issue lies in how BIND 9 handles GSS-API TKEY negotiation. During this process, the server creates a security context inside the GSS library. When processing maliciously constructed packets, this security context is leaked. Critically, because the memory is allocated directly by the GSS library and not through BIND's own memory allocator, the leak is invisible to BIND's internal memory accounting mechanisms. BIND has no visibility into how much memory the GSS library has consumed, and therefore cannot enforce any limits or trigger cleanup.
In earlier versions, BIND attempted to support multi round GSS-API negotiation. This design decision contributed to improper state handling that enables the leak. The Kerberos and SPNEGO protocols, which are the relevant GSS-API mechanisms in these environments, actually complete authentication in a single round, making multi round support unnecessary and, as it turns out, dangerous.
Attack Flow
The attack is straightforward:
- The attacker identifies a BIND 9 server configured with GSS-API TKEY authentication. These servers are typically found in Active Directory integrated DNS deployments or Kerberos secured DNS environments.
- The attacker sends repeated, maliciously crafted TKEY queries to the target server over the network. No authentication or special privileges are required.
- Each malicious TKEY query triggers the allocation of a GSS-API security context that is never properly freed.
- Because the leaked memory resides in the GSS library's address space and bypasses BIND's memory accounting, the server has no mechanism to detect or limit the growing consumption.
- Over time, available system memory is exhausted, and the BIND process fails, resulting in a complete denial of service for DNS resolution.
The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms the attack is network accessible, low complexity, requires no privileges or user interaction, and impacts availability to a high degree with no effect on confidentiality or integrity.
How the Fix Works
The patched releases address the vulnerability through two key changes:
- Rejection of multi round GSS-API negotiation. The server now refuses to engage in multi round exchanges, since Kerberos and SPNEGO complete in a single round. This eliminates the improper state handling that allowed the context leak.
- Enforcement of RFC 3645 requirements. The fix implements a previously missing check: the client must verify that mutual authentication and integrity flags are granted by the GSS-API mechanism. This brings the implementation into compliance with the protocol specification and closes the attack surface.
Affected Systems and Versions
The vulnerability affects BIND 9 servers that are configured to use TKEY based authentication via GSS-API tokens. The following version ranges are vulnerable:
| Branch | Vulnerable Versions |
|---|---|
| BIND 9 mainline (early) | 9.0.0 through 9.16.50 |
| BIND 9.18.x | 9.18.0 through 9.18.48 |
| BIND 9.20.x | 9.20.0 through 9.20.22 |
| BIND 9.21.x | 9.21.0 through 9.21.21 |
| Supported Preview Edition (9.16) | 9.9.3-S1 through 9.16.50-S1 |
| Supported Preview Edition (9.18) | 9.18.11-S1 through 9.18.48-S1 |
| Supported Preview Edition (9.20) | 9.20.9-S1 through 9.20.22-S1 |
Patched releases:
| Branch | Fixed Version |
|---|---|
| 9.18.x | 9.18.49 (and 9.18.49-S1 for Preview Edition) |
| 9.20.x | 9.20.23 (and 9.20.23-S1 for Preview Edition) |
| 9.21.x | 9.21.22 |
Servers that do not use GSS-API TKEY authentication are not affected. The vulnerable configuration is most commonly found in Active Directory integrated DNS and Kerberos secured DNS environments.
Vendor Security History
ISC maintains a well established track record of transparent and professional vulnerability disclosure. For CVE-2026-3039, ISC provided early notification to stakeholders on May 13, 2026, a full week before the public disclosure and patch release on May 20, 2026. Their advisories consistently include CVSS scoring, detailed impact analysis, affected version matrices, and direct upgrade paths. Given BIND 9's position as the most widely deployed open source DNS implementation, used by financial institutions, carriers, ISPs, universities, and government agencies worldwide, ISC's disciplined approach to security communications is essential to the broader internet ecosystem.



