Introduction
A heap use after free in BIND 9's DNS over HTTPS implementation allows a remote, unauthenticated attacker to crash the named process by flooding HTTP/2 SETTINGS frames during a DoH response write. Given that BIND 9 is the most widely deployed DNS server software on the Internet, this vulnerability (CVE-2026-3593, CVSS 7.4) has broad relevance for any organization that has enabled DoH on their authoritative or recursive DNS infrastructure.
Technical Information
CVE-2026-3593 is classified as CWE-416 (Use After Free) and affects the DNS over HTTPS code path in BIND 9. The root cause is a race condition in how the server handles incoming HTTP/2 SETTINGS frames concurrently with writing DoH responses.
Root Cause
When a DNS over HTTPS client sends a flood of HTTP/2 SETTINGS frames at the exact moment the BIND 9 server is in the process of writing a DoH response, a heap memory region is freed prematurely. Subsequent access to that freed memory by the response writing logic triggers a use after free condition. This causes the named process to crash, resulting in denial of service. Because the corruption occurs on the heap, there is also a theoretical risk of sensitive data exposure from adjacent memory.
Attack Flow
- The attacker identifies a BIND 9 instance with DNS over HTTPS enabled and accessible over the network.
- The attacker establishes an HTTP/2 connection to the DoH endpoint.
- The attacker issues a DNS query over HTTPS to initiate a response from the server.
- While the server is writing the DoH response, the attacker sends a rapid flood of HTTP/2 SETTINGS frames over the same connection.
- The timing collision between SETTINGS frame processing and response writing triggers the use after free condition.
- The
namedprocess crashes, disrupting DNS service.
CVSS Breakdown
| Metric | Value | Description |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | High | Requires specific timing during response writing |
| Privileges Required | None | No authentication needed to send HTTP/2 frames |
| User Interaction | None | Exploitation occurs without user involvement |
| Confidentiality Impact | High | Memory corruption could expose sensitive data |
| Availability Impact | High | Can cause the named process to crash |
The High attack complexity rating reflects the need to hit a narrow timing window. However, the absence of any authentication requirement and the severe impact on both confidentiality and availability make this a meaningful risk for exposed DoH endpoints.
Important Scope Limitation
Only BIND 9 instances with DNS over HTTPS enabled are vulnerable. Configurations that do not use DoH are entirely unaffected by this issue.
Affected Systems and Versions
The following BIND 9 versions are affected:
| Branch | Affected Versions | Fixed Version |
|---|---|---|
| BIND 9.20 (Stable) | 9.20.0 through 9.20.22 | 9.20.23 |
| BIND 9.21 (Development) | 9.21.0 through 9.21.21 | 9.21.22 |
| Supported Preview Edition | 9.20.9 S1 through 9.20.22 S1 | 9.20.23 S1 |
The following versions are explicitly not affected:
| Branch | Unaffected Versions |
|---|---|
| BIND 9.18 (Stable) | 9.18.0 through 9.18.48 |
| Supported Preview Edition (9.18) | 9.18.11 S1 through 9.18.48 S1 |
The vulnerable configuration requires DNS over HTTPS to be enabled. Systems running affected versions without DoH configured are not at risk.
Vendor Security History
ISC has a long track record of maintaining BIND 9 as critical open source infrastructure. The organization has consistently provided timely security advisories and patches for high severity vulnerabilities across BIND 9's lifecycle. SecurityWeek has previously reported on BIND updates that patch high severity vulnerabilities, reflecting the ongoing attention ISC gives to the security posture of their software. The credit for discovering CVE-2026-3593 goes to Naresh Kandula Parmar, who reported the issue to ISC through their vulnerability disclosure process.



