Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation

...

BIND 9 server memory exhaustion during GSS-API TKEY negotiation

...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Bind vulnerabilities (USN-8293-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8293-1 advisory. Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote attacker could...

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: bind: bind-9.18.49-1.hum1 aarch64, x8664 bind-chroot-9.18.49-1.hum1 aarch64, x8664 bind-devel-9.18.49-1.hum1 aarch64, x8664 bind-dnssec-utils-9.18.49-1.hum1 aarch64, x8664 bind-doc-9.18.49-1.hum1...

Security Bulletin: Vault Terraform Provider Incorrect Defaults for LDAP Auth Method, Resulting in Insecure Configuration and Potential Authentication Bypass

Summary Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in...

CVE-2026-3039

A flaw was found in BIND. A remote attacker can exploit this vulnerability by sending maliciously-constructed packets to BIND servers configured for TKEY-based authentication via GSS-API Generic Security Service Application Program Interface tokens. This can lead to excessive memory consumption,...

CVE-2026-5947

A flaw was found in BIND. A remote attacker could exploit a race condition during SIG0 signature validation of an incoming DNS message. If the "recursive-clients" limit is reached and the message is discarded, a use-after-free vulnerability may occur. This could lead to undefined behavior and...

CVE-2026-3593

A flaw was found in the BIND Berkeley Internet Name Domain DNS-over-HTTPS implementation. A remote attacker could send specially crafted HTTP/2 traffic to a DNS-over-HTTPS endpoint, leading to a use-after-free vulnerability. This could trigger memory corruption, potentially allowing the attacker ...

CVE-2026-44052

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

CVE-2026-44052

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

CVE-2026-44052 LDAP simple-bind password exposure in log output

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

[slackware-security] bind

New bind packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/bind-9.18.49-i586-1slack15.0.txz: Upgraded. This update fixes security issues: Fix outgoing zone transfers' quota issue. Limit resolver...

Slackware Linux 15.0 / current bind Multiple Vulnerabilities (SSA:2026-141-01)

The version of bind installed on the remote host is prior to 9.18.49 / 9.20.23. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-141-01 advisory. New bind packages are available for Slackware 15.0 and -current to fix security issues. Tenable has extracted the...

[SECURITY] [DSA 6285-1] bind9 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6285-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 20, 2026 https://www.debian.org/security/faq -...

Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS

Summary The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553" — a Go http.Server.Addr of ":5553" listens on every interface. On...

GHSA-GJ84-924C-48FX Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS

Summary The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553" — a Go http.Server.Addr of ":5553" listens on every interface. On...

CVE-2026-5950

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 throu...

ALPINE-CVE-2026-5947

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG0, it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached as would occur during a query...

CVE-2026-5947

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG0, it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached as would occur during a query...

ALPINE-CVE-2026-5946

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...