Copyright © 2012 Red Hat, Inc. All rights reserved.
Important
2026-05-21T11:59:02
bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE-825
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
A flaw was found in the BIND (Berkeley Internet Name Domain) DNS-over-HTTPS implementation. A remote attacker could send specially crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint, leading to a use-after-free vulnerability. This could trigger memory corruption, potentially allowing the attacker to cause a denial of service or, in some cases, execute arbitrary code.
Important: A heap use-after-free vulnerability in BIND's DNS-over-HTTPS implementation allows a remote attacker to trigger memory corruption by sending crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint. This affects both authoritative servers and resolvers configured to use DNS-over-HTTPS, potentially leading to denial of service or other impacts.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Red Hat Hardened Images
2026-04-10T00:00:00Z
RHSA-2026:7412
bind-main-9.18.48-1.1.hum1
Red Hat Enterprise Linux 10
Not affected
bind
Red Hat Enterprise Linux 6
Not affected
bind
Red Hat Enterprise Linux 7
Not affected
bind
Red Hat Enterprise Linux 8
Not affected
bind
Red Hat Enterprise Linux 8
Not affected
bind9.16
Red Hat Enterprise Linux 9
Not affected
bind
Red Hat Enterprise Linux 9
Not affected
bind9.18
Red Hat Enterprise Linux 9
Not affected
dhcp
Red Hat OpenShift Container Platform 4
Not affected
rhcos
https://www.cve.org/CVERecord?id=CVE-2026-3593
https://nvd.nist.gov/vuln/detail/CVE-2026-3593