PatchSiren cyber security CVE debrief

CVE-2026-3039 ISC CVE debrief

CVE-2026-3039 is a denial-of-service vulnerability in ISC BIND when a server is configured to use TKEY-based authentication via GSS-API tokens. Maliciously constructed packets can trigger excessive memory consumption, which is particularly relevant in Active Directory-integrated DNS and Kerberos-secured DNS environments. NVD lists the issue as CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vendor: ISC
Product: BIND 9
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-20
Original CVE updated: 2026-05-21
Advisory published: 2026-05-20
Advisory updated: 2026-05-21

Who should care

BIND administrators who run DNS services with TKEY/GSS-API authentication should treat this as a priority issue, especially in Active Directory-integrated DNS and Kerberos-secured DNS deployments.

Technical summary

The NVD record states that BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the listed -S1 branches are affected. The vulnerability is mapped to CWE-771 and has an availability-only impact in the supplied CVSS vector. ISC references download pages for BIND 9.18.49, 9.20.23, and 9.21.22, which should be reviewed alongside the ISC KB entry for branch-specific remediation guidance.

Defensive priority

High for any exposed BIND deployment that uses TKEY-based GSS-API authentication, because the issue is network-reachable, requires no privileges or user interaction, and can consume memory on core DNS infrastructure.

Recommended defensive actions

Inventory BIND servers that use TKEY/GSS-API authentication and confirm whether they are part of Active Directory-integrated DNS or Kerberos-secured DNS setups.
Review the ISC KB entry for CVE-2026-3039 and align remediation with the BIND branch you run.
Upgrade impacted BIND branches using ISC's referenced release streams, including 9.18.49, 9.20.23, or 9.21.22 where applicable to your branch.
Prioritize patching internet-facing or business-critical DNS servers first, then validate DNS service stability after the update.
Monitor memory usage and DNS service health for signs of resource exhaustion until remediation is complete.

Evidence notes

This debrief is grounded in the supplied NVD modified record and ISC reference links. The record was published and last modified on 2026-05-20, with NVD status shown as 'Undergoing Analysis' at the time of the supplied source. The vulnerability description specifically names TKEY-based authentication via GSS-API tokens, maliciously constructed packets, and excessive memory consumption. The supplied vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the weakness is identified as CWE-771.

Official resources

CVE-2026-3039 CVE record
CVE.org
CVE-2026-3039 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE-2026-3039 was published and last modified on 2026-05-20 in the supplied record. The supplied NVD record was still marked 'Undergoing Analysis' at the time of that modification, and this debrief reflects only the evidence in the provided