ISC BIND 9 DoH/HTTP-2 use-after-free (CVSS 7.4), fixed 9.20.23

Two of the most widely deployed open-source DNS resolvers shipped coordinated security releases on 2026-05-20. NLnet Labs Unbound 1.25.1 fixes 11 CVEs; the headline issue is CVE-2026-33278 (CWE-416 use-after-free; CVSS 9.8 per CCB Belgium), where a struct-assignment bug overwrites a destination pointer during deep-copying of DS sub-query structures when NSEC3 budget exhaustion forces a suspend — a remote unauthenticated attacker who controls a DNSSEC-signed domain can crash the daemon or potentially execute code (affected 1.19.1–1.25.0) (NLnet Labs, 2026-05-20). CVE-2026-42944 (heap overflow, CVSS 7.5 per CCB Belgium) is reachable in the default configuration — answer-cookie and pad-responses are on by default — when a reply encodes multiple NSID / DNS-Cookie / EDNS-Padding options (CCB Belgium, 2026-05-20). ISC BIND 9.18.49 / 9.20.23 fix CVE-2026-3593 (CVSS 7.4 use-after-free in the DoH/HTTP-2 path; 9.20.x only, 9.18.x lacks DoH) and CVE-2026-5946 (CVSS 7.5 DoS — a single query bearing a non-Internet CLASS such as CHAOS/HESIOD or an ANY/NONE meta-class crashes named in the NOTIFY/UPDATE/recursion paths, affecting the very widely deployed 9.18 branch) (ISC, 2026-05-20).

No in-the-wild exploitation or public PoC is reported for any of these as of the advisories. They earn § 2 placement on the combination of CVSS-9.8 pre-auth memory-safety reach and the ubiquity of these resolvers across EU/CH government, ISP and critical-infrastructure DNS. Detection is limited to crash telemetry — unbound / named dying with SIGSEGV/SIGABRT in dnssec_* or http_* / isc_tls_* frames, or named crashing immediately after a CHAOS/HESIOD/ANY-class query. Patch recursive and authoritative infrastructure to Unbound 1.25.1, BIND 9.18.49 or 9.20.23.

CVE Summary Table