From: Aydın Mercan <aydin@isc.org>
Date: Tue, 5 May 2026 12:27:06 +0000 (+0300)
Subject: [CVE-2026-3593] sec: usr: Fix use-after-free in DNS-over-HTTPS when processing HTTP... 
X-Git-Tag: v9.21.22~3
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e33ff6bb0ac7110ea2b64ba5adde0fb72200f37d;p=thirdparty%2Fbind9.git

[CVE-2026-3593] sec: usr: Fix use-after-free in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames

A use-after-free vulnerability in the DNS-over-HTTPS implementation
could cause named to crash when a client sends a flood of HTTP/2
SETTINGS frames while a DoH response is being written. This affects
servers with DoH (DNS-over-HTTPS) enabled.

ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this.

For: https://gitlab.isc.org/isc-projects/bind9/-/issues/5755

Merge branch '5755-heap-user-after-free-http2-settings' into 'security-main'

See merge request isc-private/bind9!949
---

e33ff6bb0ac7110ea2b64ba5adde0fb72200f37d