CVE-2026-3593: BIND 9 DNS-over-HTTPS Use-After-Free Vulnerability
The National Vulnerability Database has detailed CVE-2026-3593, a high-severity use-after-free vulnerability (CVSS 7.4) impacting BIND 9’s DNS-over-HTTPS (DoH) implementation. This flaw affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. Importantly, BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are explicitly stated as not affected.
A use-after-free vulnerability like this, especially in a critical service like DNS, is a serious concern. Attackers can exploit such flaws to achieve arbitrary code execution or cause denial-of-service, compromising the stability and integrity of DNS infrastructure. Given that DNS is a foundational internet service, exploitation could have widespread impact, disrupting network operations and potentially facilitating further attacks by manipulating name resolution.
What This Means For You
- If your organization relies on BIND 9 for DNS services, immediately verify your version number. Specifically, check if you are running any of the affected versions (9.20.x or 9.21.x) with DoH enabled. Prioritize patching or upgrading to a non-vulnerable version to mitigate the risk of remote code execution or service disruption.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-3593
title: Web Application Exploitation Attempt — CVE-2026-3593
id: scw-2026-05-20-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-3593 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3593/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-3593
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3593 | Use After Free | BIND 9 versions 9.20.0 through 9.20.22 |
| CVE-2026-3593 | Use After Free | BIND 9 versions 9.21.0 through 9.21.21 |
| CVE-2026-3593 | Use After Free | BIND 9 versions 9.20.9-S1 through 9.20.22-S1 |
| CVE-2026-3593 | Use After Free | DNS-over-HTTPS implementation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...