{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260605-cve-2026-3593-isc-bind-9-dns-over-https-http2-settings-use-after-free/","date":"2026-06-05","last_modified":"2026-06-05","cve":"CVE-2026-3593","title":"CVE-2026-3593 — ISC BIND 9 DNS-over-HTTPS HTTP/2 SETTINGS Use-After-Free","vulnerability_name":"ISC BIND 9 DNS-over-HTTPS HTTP/2 SETTINGS Use-After-Free","vendor":"ISC","product":"BIND 9","component":"netmgr/http (DoH)","binary":"named","impact":"DoS","cwe":["CWE-416","CWE-825"],"severity":{"cvss_v4_score":6.3,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:P"},"attack_vector":"Network","patch_kb":null,"poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-3593","bind","dns","doh","http2","use-after-free","dos"],"summary":"1. Overview A use-after-free vulnerability exists in ISC BIND 9’s DNS-over-HTTPS (DoH) implementation. When a DoH response has been sent, the response buffer is freed but a dangling pointer (socket-\u003eh2-\u003ewbuf) is left pointing to the freed memory. If a client floods HTTP/2 SETTINGS frames that change INITIAL_WINDOW_SIZE, the nghttp2 library re-evaluates stream flow control and calls the data provider callback (server_read_callback), which reads from the freed buffer via memmove(). The UAF read is confirmed by AddressSanitizer and reliably crashes ASAN-instrumented builds (~40% per round). Against production BIND builds using jemalloc, the freed memory remains mapped and the read succeeds silently — the server does not crash. Information disclosure via the HTTP/2 DATA stream was not confirmed: although server_read_callback reads freed heap bytes, nghttp2 discards the result because the stream’s data provider had already signaled EOF; no extra bytes are transmitted to the attacker. The practical impact is therefore denial of service against hardened builds, and a latent memory safety violation in production that could become exploitable if nghttp2’s internal handling changes. ISC addressed this vulnerability in BIND 9.20.23 and 9.21.22.\n"}