CVE-2026-3593 — ISC BIND 9 DNS-over-HTTPS HTTP/2 SETTINGS Use-After-Free

1. Overview A use-after-free vulnerability exists in ISC BIND 9’s DNS-over-HTTPS (DoH) implementation. When a DoH response has been sent, the response buffer is freed but a dangling pointer (socket->h2->wbuf) is left pointing to the freed memory. If a client floods HTTP/2 SETTINGS frames that change INITIAL_WINDOW_SIZE, the nghttp2 library re-evaluates stream flow control and calls the data provider callback (server_read_callback), which reads from the freed buffer via memmove(). The UAF read is confirmed by AddressSanitizer and reliably crashes ASAN-instrumented builds (~40% per round). Against production BIND builds using jemalloc, the freed memory remains mapped and the read succeeds silently — the server does not crash. Information disclosure via the HTTP/2 DATA stream was not confirmed: although server_read_callback reads freed heap bytes, nghttp2 discards the result because the stream’s data provider had already signaled EOF; no extra bytes are transmitted to the attacker. The practical impact is therefore denial of service against hardened builds, and a latent memory safety violation in production that could become exploitable if nghttp2’s internal handling changes. ISC addressed this vulnerability in BIND 9.20.23 and 9.21.22. ...

June 5, 2026 · 10 min · Aretiq AI

CVE-2026-23412 — Linux Kernel Netfilter BPF Hook Use-After-Free LPE

1. Overview A use-after-free vulnerability exists in the Linux kernel’s BPF netfilter link implementation. The bpf_nf_link_lops operations structure uses synchronous deallocation (.dealloc) instead of RCU-deferred freeing (.dealloc_deferred), allowing a use-after-free when concurrent hook enumeration via nfnetlink races with BPF link destruction. The UAF on the kmalloc-192 slab cache is exploitable for local privilege escalation through heap spray and function pointer hijacking. The Linux kernel community addressed this vulnerability in kernel version 7.0-rc5. ...

May 18, 2026 · 8 min · Aretiq AI