Serial number: AV26-490
Date: May 20, 2026
On May 20, 2026, ISC published security advisories to address vulnerabilities in the following products:
- ISC BIND 9 – versions 9.0.0 to 9.16.50
- ISC BIND 9 – versions 9.18.0 to 9.18.48
- ISC BIND 9 – versions 9.20.0 to 9.20.22
- ISC BIND 9 – versions 9.21.0 to 9.21.21
- BIND Supported Preview Edition – versions 9.9.3-S1 to 9.16.50-S1
- BIND Supported Preview Edition – versions 9.18.11-S1 to 9.18.48-S1
- BIND Supported Preview Edition – versions 9.20.9-S1 to 9.20.22-S1
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
- CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation
- CVE-2026-5947: SIG(0) validation during query flood may lead to undefined behavior
- CVE-2026-5946: Invalid handling of CLASS != IN
- CVE-2026-3593: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation
- BIND 9 Security Vulnerability Matrix