Critical Bind DNS Vulnerabilities Expose Servers to DoS and RCE Attacks
Ubuntu has released security patches for multiple critical vulnerabilities in Bind DNS software, including memory exhaustion, denial of service, and potential remote code execution flaws. Organizations running affected Ubuntu versions should prioritize immediate patching to prevent exploitation.
TL;DR
- Five vulnerabilities discovered in Bind DNS, ranging from DoS to potential RCE in DNS-over-HTTPS implementation
- Memory exhaustion during GSS-API TKEY negotiation can be weaponized for resource depletion attacks
- Self-pointed glue record handling flaw enables DNS amplification attacks against third-party systems
- Ubuntu 25.10 and 26.04 LTS face additional RCE risk through DNS-over-HTTPS memory corruption
- SIG(0) validation bypass during query floods creates crash vector for authenticated DNS operations
Ubuntu has released critical security updates addressing five vulnerabilities in the Bind DNS resolver software. These flaws span multiple attack vectors including memory exhaustion, denial of service conditions, and potential remote code execution, affecting organizations across different Ubuntu LTS and standard releases.
The vulnerabilities range from protocol-level handling issues to implementation defects in modern DNS transport mechanisms. Several flaws enable attackers to exhaust server resources or crash DNS services entirely, while one memory corruption issue in DNS-over-HTTPS could lead to arbitrary code execution on affected systems.
Immediate patching is recommended for all organizations running Bind on affected Ubuntu versions, particularly those operating DNS infrastructure in internet-facing environments.
Vulnerability Breakdown
- CVE-2026-3039: GSS-API TKEY negotiation memory exhaustion allows remote attackers to trigger excessive resource consumption and denial of service
- CVE-2026-3592: Improper glue record validation enables DNS amplification attacks, allowing attackers to abuse Bind servers as attack vectors against third parties
- CVE-2026-3593: DNS-over-HTTPS memory handling flaw permits crash or arbitrary code execution (Ubuntu 25.10 and 26.04 LTS only)
- CVE-2026-5946: Non-IN class DNS message handling defect causes resolver crashes on malformed queries
- SIG(0) validation bypass: Query flood conditions bypass DNSSEC signature validation, enabling authenticated DoS attacks
Remediation and Impact
- Apply USN-8293-1 patches immediately to all Bind installations, prioritizing internet-facing DNS resolvers
- Ubuntu 25.10 and 26.04 LTS users face elevated risk due to RCE potential in DNS-over-HTTPS code paths
- Implement rate limiting and query validation rules to mitigate amplification and flood-based exploitation
- Monitor Bind process stability and resource consumption for signs of active exploitation attempts
- Consider network segmentation to limit DNS resolver exposure and restrict recursive query access to trusted clients
Sources
Fontes
Atualizações de segurança por e-mail
Um e-mail resumo quando publicarmos novos artigos de segurança (TL;DR e links para ler mais). Cancele a inscrição a qualquer momento no rodapé da mensagem. Veja nossa Política de Privacidade.