Home / mailings [USN-8293-1] Bind vulnerabilities
Posted on 21 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8293-1
May 21, 2026
bind9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Bind.
Software Description:
- bind9: Internet Domain Name Server
Details:
Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API
TKEY negotiation. A remote attacker could possibly use this issue to cause
Bind to use excessive resources, leading to a denial of service.
(CVE-2026-3039)
Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue
records. A remote attacker could possibly use this issue to use Bind in
denial of service amplification attacks against other systems.
(CVE-2026-3592)
Naresh Kandula Parmar discovered that Bind incorrectly handled memory in
the DNS-over-HTTPS implementation. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-3593)
It was discovered that Bind incorrectly handled DNS messages whose class
was not IN. A remote attacker could possibly use this issue to cause Bind
to crash, resulting in a denial of service. (CVE-2026-5946)
Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation
during a query flood. A remote attacker could possibly use this issue to
cause Bind to crash, resulting in a denial of service. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947)
Billy Baraja discovered that Bind had an unbounded resend loop in the
resolver. A remote attacker could possibly use this issue to cause Bind to
use excessive resources, leading to a denial of service. (CVE-2026-5950)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
bind9 1:9.20.18-1ubuntu2.1
Ubuntu 25.10
bind9 1:9.20.11-1ubuntu2.4
Ubuntu 24.04 LTS
bind9 1:9.18.39-0ubuntu0.24.04.5
Ubuntu 22.04 LTS
bind9 1:9.18.39-0ubuntu0.22.04.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8293-1
CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946,
CVE-2026-5947, CVE-2026-5950
Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.20.18-1ubuntu2.1
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu2.4
https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.24.04.5
https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.22.04.4
--===============4507417586454310581==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
