1. Ubuntu Security Notices
  2. USN-8293-1

USN-8293-1: Bind vulnerabilities

Publication date

21 May 2026

Overview

Several security issues were fixed in Bind.

Releases

Packages

  • bind9 - Internet Domain Name Server

Details

Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API
TKEY negotiation. A remote attacker could possibly use this issue to cause
Bind to use excessive resources, leading to a denial of service.
(CVE-2026-3039)

Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue
records. A remote attacker could possibly use this issue to use Bind in
denial of service amplification attacks against other systems.
(CVE-2026-3592)

Naresh Kandula Parmar discovered that Bind incorrectly handled memory in
the DNS-over-HTTPS implementation. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-3593)

It was discovered that Bind incorrectly handled...

Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API
TKEY negotiation. A remote attacker could possibly use this issue to cause
Bind to use excessive resources, leading to a denial of service.
(CVE-2026-3039)

Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue
records. A remote attacker could possibly use this issue to use Bind in
denial of service amplification attacks against other systems.
(CVE-2026-3592)

Naresh Kandula Parmar discovered that Bind incorrectly handled memory in
the DNS-over-HTTPS implementation. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-3593)

It was discovered that Bind incorrectly handled DNS messages whose class
was not IN. A remote attacker could possibly use this issue to cause Bind
to crash, resulting in a denial of service. (CVE-2026-5946)

Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation
during a query flood. A remote attacker could possibly use this issue to
cause Bind to crash, resulting in a denial of service. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947)

Billy Baraja discovered that Bind had an unbounded resend loop in the
resolver. A remote attacker could possibly use this issue to cause Bind to
use excessive resources, leading to a denial of service. (CVE-2026-5950)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute bind9 –  1:9.20.18-1ubuntu2.1
25.10 questing bind9 –  1:9.20.11-1ubuntu2.4
24.04 LTS noble bind9 –  1:9.18.39-0ubuntu0.24.04.5
22.04 LTS jammy bind9 –  1:9.18.39-0ubuntu0.22.04.4

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›