A high-severity vulnerability in BIND 9’s DNS-over-HTTPS (DoH) implementation demands immediate attention from DNS administrators. Disclosed on May 20, 2026, CVE-2026-3593 is a heap use-after-free bug that can be exploited remotely to crash the server or execute arbitrary code. The flaw affects ISC BIND 9.20.0 through 9.20.22 and all 9.21.x releases, two widely adopted branches of the open-source DNS software that power authoritative and recursive name servers for enterprises, ISPs, and public DNS services.

Internet Systems Consortium (ISC) published a security advisory urging users to patch right away. If updating isn’t possible in the short term, the recommended workaround is to disable DNS-over-HTTPS entirely. The advisory comes as DoH adoption continues to grow, driven by browser vendors and privacy-focused services, making this vulnerability especially alarming.

What Is CVE-2026-3593?

CVE-2026-3593 is a heap use-after-free vulnerability in the code responsible for handling DNS queries over HTTPS. An unauthenticated, remote attacker can send a crafted sequence of HTTPS requests that triggers a memory access error after a previously allocated buffer has been freed. Depending on the attacker’s skill and the server’s memory layout, the bug can lead to a denial of service (the named process crashes) or to remote code execution (RCE) with the privileges of the BIND daemon.

Use-after-free bugs are among the most dangerous memory corruption weaknesses because they can seem innocent in testing but turn into full compromise under the right conditions. The CVE’s CVSS v3.1 base score is 8.1 (High), reflecting the low attack complexity, network-based attack vector, and the potential for total confidentiality, integrity, and availability impact.

Affected Versions and Severity

The bug is present in:
- BIND 9.20.0 through 9.20.22
- BIND 9.21.0 through the latest 9.21.x release at the time of disclosure

Older branches, including the widely used 9.18 and 9.16 Extended Support Versions, are not affected because they do not include the DoH code that contains the flaw. ISC confirmed that the vulnerability was introduced during the development of the 9.20 branch, when DoH support was extended to allow more flexible HTTP/2 and TLS configurations.

Organizations running affected versions should consider this a high-priority item. Even if your BIND instance is configured only as a resolver or authoritative server, if DoH is enabled—even on a non-public interface—the bug can be triggered.

Technical Details: Heap Use-After-Free in DNS-over-HTTPS

BIND’s DoH implementation relies on the nghttp2 library for HTTP/2 framing and OpenSSL for TLS termination. When a DNS query arrives over HTTPS, the server allocates a session structure to track the HTTP stream and any associated DNS transactions. Under a narrow race condition involving connection timeouts and error handling, the session object is freed while a callback still holds a dangling pointer. A subsequent HTTP frame destined for that session dereferences the freed memory, corrupting the heap.

ISC’s advisory provides this technical summary:

“A use-after-free error in the session cleanup logic for DNS-over-HTTPS connections can be triggered by a specific sequence of HTTP/2 frames sent over a long-lived connection. An attacker who can send HTTPS requests to the server can exploit this flaw to cause a crash or potentially achieve remote code execution.”

Because the vulnerability lies in the transport layer, no DNS query is required to reach the vulnerable code path. A malicious client only needs to establish a TLS connection to the DoH endpoint and send a series of HTTP/2 frames in the right order. This makes exploitation simpler than bugs that require parsing a valid DNS message.

Exploitation and Real-World Impact

BIND is the backbone of the Domain Name System. It’s estimated that over 80% of all DNS servers on the internet run some version of BIND. Even though most organizations do not yet serve DNS over HTTPS directly, the trend is clear: with Windows 11, macOS, and major browsers pushing DoH, more network operators are enabling the feature on their resolvers.

A successful RCE against a caching resolver could allow an attacker to poison the cache, redirect traffic to malicious servers, or pivot into internal networks. An attack against an authoritative server could disrupt service or tamper with zone data. A simple denial-of-service attack—crashing the named process—is far easier to accomplish and could be performed at scale to take down large DNS services.

ISC reported no active exploitation in the wild at the time of disclosure, but proof-of-concept code usually appears within days of a CVE becoming public. Security researchers have noted that this class of bug is highly reliable on modern Linux distributions when combined with existing heap-spraying techniques.

Immediate Mitigation Steps and Patch Availability

ISC has released patched versions:
- BIND 9.20.23
- BIND 9.21.6

These releases contain a fix that refactors the session lifecycle so that callbacks are properly synchronized and all dangling references are cleared before freeing memory. A changelog entry confirms that the patch is a minimal change, making backporting feasible for downstream package maintainers.

Administrators who cannot apply the patch immediately should disable DNS-over-HTTPS. This can be done by removing or commenting out any http listener blocks in named.conf and, if using a separate HTTPS front-end (like nginx or Apache), disabling the proxy that forwards requests to BIND. After making the change, restart named or reload the configuration. A sample configuration block that should be removed looks like:

http local-http {
    endpoints {
        "/dns-query";
    };
};

If BIND is compiled without the --enable-doh flag, the vulnerable code path does not exist. To verify whether DoH is active on your server, check the running configuration with named-C-check or search the logs for lines containing “Listening on …/dns-query”.

Broader Implications for DNS-over-HTTPS Security

CVE-2026-3593 highlights the risks of adding new protocol support to critical infrastructure. DoH brings privacy benefits by encrypting DNS traffic, but it also expands the attack surface. BIND’s DoH implementation historically lagged behind simpler UDP/TCP DNS processing, and this bug is a reminder that each supported protocol needs the same rigorous review as the core DNS code.

Enterprise security teams should assess whether exposing DoH is necessary. If your users are already protected by browser-enforced DoH, you might not need to run an internal DoH resolver; a traditional DNS resolver with TLS (DoT) may suffice. For those who must offer DoH, keeping BIND updated and behind a reverse proxy that can filter malicious traffic is a sound defense-in-depth practice.

Vulnerability management programs should track CVEs for all DNS components, not just the operating system. The short time between disclosure and potential exploitation makes automated patch deployment critical.

What Administrators Should Do Now

  1. Identify affected systems. Run named -V to check the version. If it’s between 9.20.0 and 9.20.22, or any 9.21.x, you’re vulnerable.
  2. Apply the patch. Upgrade to BIND 9.20.23 or 9.21.6 from your distribution’s repositories or by compiling from source after verifying the signature.
  3. If patching is delayed, disable DoH. Remove http listeners and restart named. Monitor logs for errors.
  4. Verify with a scanner. Use a tool like nuclei or a custom script to send a benign probe that triggers the bug gently (if you have a test environment) or simply check if the service responds to HTTPS on the DoH endpoint.
  5. Consider network-level protections. Restrict access to the DoH endpoint to internal IP ranges using a firewall or an ACL, and limit the rate of new connections.

ISC promises a more detailed technical write-up and proof-of-concept guidance in the coming weeks. For now, the safest route is to assume that attackers are already working on exploit code and to act accordingly.

FAQ

Q: I’m running BIND 9.18. What should I do?
A: Nothing. 9.18 and earlier branches are not affected. This vulnerability is specific to the DoH code introduced in 9.20.

Q: My BIND server listens only on TCP and UDP port 53. Am I safe?
A: Yes. The bug is in the DoH component, which uses separate listeners for HTTP/2 and TLS. If you have no http listener configured, the vulnerable code is never reached.

Q: Will disabling DoH affect my DNS resolution?
A: No. Regular DNS over UDP/TCP continues to work. Only clients that explicitly send queries over HTTPS to your server will be affected.

Q: How can I check if someone has already exploited this against my server?
A: Look for named crash logs (SIGABRT or SIGSEGV) with backtraces referencing doh_session_free or nghttp2_session. If you see recurring crashes, assume compromise and rebuild the server after patching.

Q: Is there an IDS/IPS signature available?
A: Major vendors are expected to release rules shortly. In the meantime, monitor HTTPS traffic to the DoH endpoint for unusual sequences of RST frames and rapid connection resets.

CVE-2026-3593 serves as a stark reminder that critical internet infrastructure must be maintained with the same urgency as any other software. The combination of high severity and growing DoH adoption makes this a vulnerability that demands immediate action. Patch now, or disable DoH until you can—do not let this one slide.