[USN-8293-1] Bind vulnerabilities

========================================================================== Ubuntu Security Notice USN-8293-1 May 21, 2026 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-3039) Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue records. A remote attacker could possibly use this issue to use Bind in denial of service amplification attacks against other systems. (CVE-2026-3592) Naresh Kandula Parmar discovered that Bind incorrectly handled memory in the DNS-over-HTTPS implementation. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3593) It was discovered that Bind incorrectly handled DNS messages whose class was not IN. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2026-5946) Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation during a query flood. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947) Billy Baraja discovered that Bind had an unbounded resend loop in the resolver. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-5950) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS bind9 1:9.20.18-1ubuntu2.1 Ubuntu 25.10 bind9 1:9.20.11-1ubuntu2.4 Ubuntu 24.04 LTS bind9 1:9.18.39-0ubuntu0.24.04.5 Ubuntu 22.04 LTS bind9 1:9.18.39-0ubuntu0.22.04.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.20.18-1ubuntu2.1 https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu2.4 https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.24.04.5 https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.22.04.4