ISC BINDにおける複数の脆弱性(2026年5月)
| Title |
ISC BINDにおける複数の脆弱性(2026年5月)
|
| Summary |
ISC(Internet Systems Consortium)が提供するISC BINDには、次の複数の脆弱性が存在します。<ul><li>GSS-APIトークンを介したTKEYベースの認証を使用するように設定されたBINDサーバーが細工されたパケットを受信・処理した場合、メモリを過剰に消費する(CVE-2026-3039)</li><li>BINDリゾルバは、リソース消費の増幅および枯渇攻撃に対して脆弱なため、細工されたゾーンに対してクエリを送信すると通常よりも過剰なリソースを消費する(CVE-2026-3592)</li><li>DNS-over-HTTPSの実装に、use-after-freeの脆弱性が存在する(CVE-2026-3593)</li><li>namedにおける特定のDNSメッセージ処理に複数の不備があり、細工されたリクエストが影響を受けるコードパスに到達すると、アサーション違反が発生する(CVE-2026-5946)</li><li>BINDがSIG(0)で署名された着信DNSメッセージの署名を検証中に、競合状態が発生しメモリ解放後の使用(use-after-free)が起き、未定義動作が発生する(CVE-2026-5947)</li><li>BIND 9のリゾルバ状態マシンにおいて、不正なサーバーへの対応処理中に無制限の再送信ループが起こる(CVE-2026-5950)</li></ul>
|
| Possible impacts |
想定される影響は各脆弱性により異なりますが、次のような影響を受ける可能性があります。<ul><li>遠隔の攻撃者によって、サービス運用妨害(DoS)攻撃を引き起こされる(CVE-2026-3039、CVE-2026-3592、CVE-2026-5946、CVE-2026-5947、CVE-2026-5950)</li><li>遠隔の攻撃者によって、メモリ破損を引き起こされる(CVE-2026-3593)</li></ul> |
| Solution |
CVE-2026-3039、CVE-2026-3592、CVE-2026-5946、CVE-2026-5950: [アップグレードする] 開発者が提供する次のパッチバージョンにアップデートしてください。 <ul> <li>BIND 9.18.49</li> <li>BIND 9.20.23</li> <li>BIND 9.21.22</li> <li>BIND 9.18.49-S1(Supported Preview Edition)</li> <li>BIND 9.20.23-S1(Supported Preview Edition)</li> </ul> CVE-2026-3593、CVE-2026-5947: [アップグレードする] 開発者が提供する次のパッチバージョンにアップデートしてください。 <ul> <li>BIND 9.20.23</li> <li>BIND 9.21.22</li> <li>BIND 9.20.23-S1(Supported Preview Edition)</li> </ul> なお、開発者はCVE-2026-3593およびCVE-2026-5946に対するワークアラウンドも提供しています。 詳細は、開発者が提供する情報を確認してください。 |
| Publication Date |
May 21, 2026, midnight |
| Registration Date |
May 22, 2026, 3:55 p.m. |
| Last Update |
May 22, 2026, 3:55 p.m. |
Affected System
| ISC, Inc. |
|
BIND 9.0.0から9.16.50 (CVE-2026-3039)
|
|
BIND 9.11.0から9.16.50 (CVE-2026-3592、CVE-2026-5946)
|
|
BIND 9.11.3-S1から9.16.50-S1(Supported Preview Edition) (CVE-2026-3592、CVE-2026-5946)
|
|
BIND 9.18.0から9.18.48 (CVE-2026-3039、CVE-2026-3592、CVE-2026-5946)
|
|
BIND 9.18.11-S1から9.18.48-S1(Supported Preview Edition) (CVE-2026-3039、CVE-2026-3592、CVE-2026-5946)
|
|
BIND 9.18.36-S1から9.18.48-S1(Supported Preview Edition) (CVE-2026-5950)
|
|
BIND 9.18.36から9.18.48 (CVE-2026-5950)
|
|
BIND 9.20.0から9.20.22 (CVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5947、CVE-2026-5946)
|
|
BIND 9.20.8から9.20.22 (CVE-2026-5950)
|
|
BIND 9.20.9-S1から9.20.22-S1(Supported Preview Edition) (CVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5947、CVE-2026-5946、CVE-2026-5950)
|
|
BIND 9.21.0から9.21.21 (CVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5947、CVE-2026-5946)
|
|
BIND 9.21.7から9.21.21 (CVE-2026-5950)
|
|
BIND 9.9.3-S1から9.16.50-S1(Supported Preview Edition) (CVE-2026-3039)
|
CVE (情報セキュリティ 共通脆弱性識別子)
その他
Change Log
| No |
Changed Details |
Date of change |
| 1 |
[2026年05月22日]
掲載 |
May 22, 2026, 3:55 p.m. |
NVD Vulnerability Information
CVE-2026-3039
| Summary |
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments.
This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.0.0 |
9.16.50 |
|
|
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.18.0 |
|
|
9.18.49 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.0 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.0 |
|
|
9.21.22 |
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-3592
| Summary |
BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.11.0 |
9.16.50 |
|
|
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.18.0 |
|
|
9.18.49 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.0 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.0 |
|
|
9.21.22 |
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-3593
| Summary |
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.0 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.0 |
|
|
9.21.22 |
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-5946
| Summary |
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.11.0 |
9.16.50 |
|
|
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.18.0 |
|
|
9.18.49 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.0 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.0 |
|
|
9.21.22 |
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-5947
| Summary |
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.0 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.0 |
|
|
9.21.22 |
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-5950
| Summary |
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions.
This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
|
| Publication Date |
May 20, 2026, 10:16 p.m. |
| Registration Date |
May 21, 2026, 4:09 a.m. |
| Last Update |
May 22, 2026, 12:24 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.18.36 |
|
|
9.18.49 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.20.8 |
|
|
9.20.23 |
| cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* |
9.21.7 |
|
|
9.21.21 |
Related information, measures and tools
Common Vulnerabilities List