Primary

Context

BIND 9 DNS-over-HTTPS Heap Use-After-Free Vulnerability

Vulnerability

Patched

A heap use-after-free vulnerability has been identified in the DNS-over-HTTPS implementation of BIND 9. This vulnerability affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. The vulnerability allows crafted HTTP/2 traffic sent to a DNS-over-HTTPS endpoint to trigger memory corruption, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability can cause memory corruption, with the potential for arbitrary code execution.

Remediation

Users can upgrade to BIND 9.20.23, 9.21.22, or 9.20.23-S1 to address this vulnerability.

Added: May 20, 2026, 1:24 PM

Updated: May 20, 2026, 1:24 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

8.1

remediation

8.3

relevance

8.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

8.1

remediation

8.3

relevance

8.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BIND 9 DNS-over-HTTPS Heap Use-After-Free Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ISC BIND

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating