CVE-2026-3104 in BIND
Summary
by MITRE • 03/25/2026
A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability identified as CVE-2026-3104 represents a memory leak condition within the Berkeley Internet Name Domain (BIND) resolver implementation that can be exploited through crafted domain name queries. This issue specifically impacts a range of BIND 9 versions including 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and certain snapshot versions from 9.20.9-S1 through 9.20.20-S1. The flaw manifests when a resolver processes a specially crafted domain name, causing it to consume increasing amounts of memory without proper cleanup of allocated resources. This memory consumption pattern can lead to system instability, performance degradation, and potentially complete service exhaustion if left unaddressed.
The technical root cause of this vulnerability stems from inadequate memory management within the resolver's domain name processing logic. When a maliciously constructed domain name is queried, the BIND resolver fails to properly release memory allocated during the parsing and processing of the domain structure, creating a progressive memory leak that accumulates with each query. This type of vulnerability falls under the CWE-401 category of "Improper Release of Memory Before Removing Last Reference" and represents a classic resource exhaustion attack vector. The vulnerability operates at the application layer within the DNS resolution process, making it particularly dangerous as DNS resolvers are fundamental infrastructure components that typically run continuously and handle high volumes of queries.
The operational impact of CVE-2026-3104 extends beyond simple memory consumption to encompass broader system stability and availability concerns. An attacker could potentially exploit this vulnerability by repeatedly querying the affected resolver with maliciously crafted domains, gradually consuming available memory resources until the system becomes unresponsive or crashes entirely. This attack vector aligns with the ATT&CK technique T1499.004 "Endpoint Denial of Service" and demonstrates how seemingly benign DNS operations can be weaponized to cause service disruption. The vulnerability affects organizations that rely on BIND 9 as their primary DNS resolver, particularly those operating in environments where DNS infrastructure is under continuous stress or where attackers might attempt to exploit such weaknesses for denial of service attacks.
Organizations should prioritize immediate mitigation by upgrading to unaffected BIND 9 versions, specifically those in the 9.18.0 through 9.18.46 range and 9.18.11-S1 through 9.18.46-S1, which are confirmed to be free from this memory leak issue. Additionally, implementing query rate limiting and monitoring for unusual memory consumption patterns can provide early detection of potential exploitation attempts. Network administrators should also consider deploying defensive measures such as DNS firewall rules that can block or rate-limit suspicious domain name patterns, while maintaining regular system monitoring to identify abnormal memory usage trends. The vulnerability highlights the critical importance of keeping DNS infrastructure components updated and demonstrates how memory management flaws in core networking services can create significant operational risks for enterprise environments.