https://aretiq.ai/tags/dns/Recent content in Dns on Aretiq AIHugoen-usFri, 05 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260605-cve-2026-3593-isc-bind-9-dns-over-https-http2-settings-use-after-free/Fri, 05 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260605-cve-2026-3593-isc-bind-9-dns-over-https-http2-settings-use-after-free/<h2 id="1-overview">1. Overview</h2> <p>A use-after-free vulnerability exists in ISC BIND 9&rsquo;s DNS-over-HTTPS (DoH) implementation. When a DoH response has been sent, the response buffer is freed but a dangling pointer (<code>socket-&gt;h2-&gt;wbuf</code>) is left pointing to the freed memory. If a client floods HTTP/2 SETTINGS frames that change <code>INITIAL_WINDOW_SIZE</code>, the nghttp2 library re-evaluates stream flow control and calls the data provider callback (<code>server_read_callback</code>), which reads from the freed buffer via <code>memmove()</code>. The UAF read is confirmed by AddressSanitizer and reliably crashes ASAN-instrumented builds (~40% per round). Against production BIND builds using jemalloc, the freed memory remains mapped and the read succeeds silently — the server does not crash. Information disclosure via the HTTP/2 DATA stream was not confirmed: although <code>server_read_callback</code> reads freed heap bytes, nghttp2 discards the result because the stream&rsquo;s data provider had already signaled EOF; no extra bytes are transmitted to the attacker. The practical impact is therefore denial of service against hardened builds, and a latent memory safety violation in production that could become exploitable if nghttp2&rsquo;s internal handling changes. ISC addressed this vulnerability in BIND 9.20.23 and 9.21.22.</p>