Cyber Posture

CVE-2026-3104

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 14.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3104 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Isc (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of flaws such as the memory leak in vulnerable BIND resolver versions through patching.

SC-5 Denial-of-service Protection good match
prevent

Implements controls to protect against denial-of-service attacks like repeated malicious DNS queries causing memory exhaustion.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) partial match
prevent

Mandates secure configuration of recursive or caching DNS resolvers with query validation and rate limiting to mitigate crafted domain exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote memory-leak DoS in public-facing BIND DNS resolver directly enables T1190 (exploitation of internet-facing application) and achieves T1499.004 (endpoint DoS via application exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions…

more

9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Deeper analysisAI

CVE-2026-3104 is a memory leak vulnerability (CWE-772) in the BIND resolver, triggered by querying a specially crafted domain. It affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. Versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are not affected. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By repeatedly querying the malicious domain, the attacker induces a memory leak in the BIND resolver, potentially leading to denial-of-service through gradual resource exhaustion and service degradation or crash.

ISC advisories recommend upgrading to patched versions BIND 9.20.21 or 9.21.20, available at the respective download links. Additional details are provided in the ISC knowledge base article at https://kb.isc.org/docs/cve-2026-3104.

Details

CWE(s)
CWE-772

Affected Products

Isc
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-30256Shared CWE-772
CVE-2025-22891Shared CWE-772
CVE-2025-24120Shared CWE-772
CVE-2026-2359Shared CWE-772
CVE-2026-20082Shared CWE-772
CVE-2026-2261Shared CWE-772
CVE-2025-27421Shared CWE-772

References