Cyber Resilience

CVE-2026-3039

High

Published: 20 May 2026

Published
20 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0056 42.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3039 is a high-severity Missing Reference to Active Allocated Resource (CWE-771) vulnerability in Isc Bind. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments.…

more

This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of public-facing BIND DNS service (T1190) via crafted packets directly enables application exhaustion leading to DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3104Same product: Isc Bind
CVE-2026-1519Same product: Isc Bind
CVE-2026-5946Same product: Isc Bind
CVE-2026-5947Same product: Isc Bind
CVE-2026-3593Same product: Isc Bind
CVE-2026-20004Shared CWE-771

Affected Assets

isc
bind
9.0.0 — 9.16.50 · 9.18.0 — 9.18.49 · 9.20.0 — 9.20.23

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References