Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-3039EXPLOITEDPATCHED

isc · bind

BIND 9 server memory exhaustion during GSS-API TKEY negotiation

Description

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Affected Products

Vendor	Product	Versions
isc	bind	9.0.0, 9.18.0, 9.20.0, 9.21.0, 9.9.3-S1, 9.18.11-S1, 9.20.9-S1

References

Related News (4 articles)

Tier A

Microsoft MSRC3d ago

CVE-2026-3039 BIND 9 server memory exhaustion during GSS-API TKEY negotiation

→ No new info (linked only)

Tier C

oss-security6d ago

ISC has disclosed six vulnerabilities in BIND 9 (CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950)

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-3039 | ISC BIND up to 9.21.21 GSS-API Token missing reference to active allocated resource

→ No new info (linked only)

Tier B

CERT-FR6d ago

Multiples vulnérabilités dans ISC BIND (20 mai 2026)

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://kb.isc.org/docs/cve-2026-3039 https://downloads.isc.org/isc/bind9/9.18.49 https://downloads.isc.org/isc/bind9/9.20.23

CWECWE-771

PublishedMay 20, 2026

Last enriched6d agov2

Tags

CVE-2026-3592CVE-2026-3593

Trending Score45

Source articles4

Independent4

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-1519

Excessive NSEC3 iterations cause high CPU load during insecure delegation validation

HIGHCVE-2026-5946EXP

Invalid handling of CLASS != IN

HIGHCVE-2026-5947EXP

SIG(0) validation during query flood may lead to undefined behavior

MEDIUMCVE-2026-3592EXP

Amplification vulnerabilities via self-pointed glue records

MEDIUMCVE-2026-5950EXP

Unbounded resend loop in BIND 9 resolver

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 20, 2026

Discovered by ZDM

May 20, 2026

Updated: exploitAvailable, activelyExploited, tags

May 20, 2026

Actively Exploited

May 20, 2026

Exploit Available

May 20, 2026

Patch Available

May 20, 2026

Version History

v2

Last enriched 6d ago

v2Tier B6d ago

Updated exploit availability to true, marked as actively exploited, and added new CVE tags.

exploitAvailableactivelyExploitedtags

via CERT-FR

v16d ago

Initial creation