ZeroPath at Black Hat USA 2026

Brief Summary: BIND 9 CVE-2026-3593 — Heap Use After Free in DNS over HTTPS via HTTP/2 SETTINGS Frame Flood

A brief summary of CVE-2026-3593, a high severity use after free vulnerability in BIND 9's DNS over HTTPS implementation triggered by HTTP/2 SETTINGS frame floods, affecting versions 9.20.0 through 9.20.22 and 9.21.0 through 9.21.21.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Brief Summary: BIND 9 CVE-2026-3593 — Heap Use After Free in DNS over HTTPS via HTTP/2 SETTINGS Frame Flood
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap use after free in BIND 9's DNS over HTTPS implementation allows a remote, unauthenticated attacker to crash the named process by flooding HTTP/2 SETTINGS frames during a DoH response write. Given that BIND 9 is the most widely deployed DNS server software on the Internet, this vulnerability (CVE-2026-3593, CVSS 7.4) has broad relevance for any organization that has enabled DoH on their authoritative or recursive DNS infrastructure.

Technical Information

CVE-2026-3593 is classified as CWE-416 (Use After Free) and affects the DNS over HTTPS code path in BIND 9. The root cause is a race condition in how the server handles incoming HTTP/2 SETTINGS frames concurrently with writing DoH responses.

Root Cause

When a DNS over HTTPS client sends a flood of HTTP/2 SETTINGS frames at the exact moment the BIND 9 server is in the process of writing a DoH response, a heap memory region is freed prematurely. Subsequent access to that freed memory by the response writing logic triggers a use after free condition. This causes the named process to crash, resulting in denial of service. Because the corruption occurs on the heap, there is also a theoretical risk of sensitive data exposure from adjacent memory.

Attack Flow

  1. The attacker identifies a BIND 9 instance with DNS over HTTPS enabled and accessible over the network.
  2. The attacker establishes an HTTP/2 connection to the DoH endpoint.
  3. The attacker issues a DNS query over HTTPS to initiate a response from the server.
  4. While the server is writing the DoH response, the attacker sends a rapid flood of HTTP/2 SETTINGS frames over the same connection.
  5. The timing collision between SETTINGS frame processing and response writing triggers the use after free condition.
  6. The named process crashes, disrupting DNS service.

CVSS Breakdown

MetricValueDescription
Attack VectorNetworkExploitable remotely over the network
Attack ComplexityHighRequires specific timing during response writing
Privileges RequiredNoneNo authentication needed to send HTTP/2 frames
User InteractionNoneExploitation occurs without user involvement
Confidentiality ImpactHighMemory corruption could expose sensitive data
Availability ImpactHighCan cause the named process to crash

The High attack complexity rating reflects the need to hit a narrow timing window. However, the absence of any authentication requirement and the severe impact on both confidentiality and availability make this a meaningful risk for exposed DoH endpoints.

Important Scope Limitation

Only BIND 9 instances with DNS over HTTPS enabled are vulnerable. Configurations that do not use DoH are entirely unaffected by this issue.

Affected Systems and Versions

The following BIND 9 versions are affected:

BranchAffected VersionsFixed Version
BIND 9.20 (Stable)9.20.0 through 9.20.229.20.23
BIND 9.21 (Development)9.21.0 through 9.21.219.21.22
Supported Preview Edition9.20.9 S1 through 9.20.22 S19.20.23 S1

The following versions are explicitly not affected:

BranchUnaffected Versions
BIND 9.18 (Stable)9.18.0 through 9.18.48
Supported Preview Edition (9.18)9.18.11 S1 through 9.18.48 S1

The vulnerable configuration requires DNS over HTTPS to be enabled. Systems running affected versions without DoH configured are not at risk.

Vendor Security History

ISC has a long track record of maintaining BIND 9 as critical open source infrastructure. The organization has consistently provided timely security advisories and patches for high severity vulnerabilities across BIND 9's lifecycle. SecurityWeek has previously reported on BIND updates that patch high severity vulnerabilities, reflecting the ongoing attention ISC gives to the security posture of their software. The credit for discovering CVE-2026-3593 goes to Naresh Kandula Parmar, who reported the issue to ISC through their vulnerability disclosure process.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization