Security Updates for Fedora 43 Address Multiple CVEs
Severity: Medium (Score: 57.9)
Sources: Linuxsecurity
Published: · Updated:
Keywords: update, fedora, rhbz, security, fixes, limit, resolver
Summary
On May 26, 2026, Fedora released updates for bind-dyndb-ldap and bind, addressing critical security vulnerabilities. The updates include fixes for CVE-2026-3592, which limits resolver server list size, CVE-2026-3039, which resolves a GSS-API resource leak, and CVE-2026-5946, which disables recursion, UPDATE, and NOTIFY for non-IN views. All three CVEs were published on May 20, 2026. Affected systems include Fedora 43 installations using bind and bind-dyndb-ldap. Users are advised to update to version 9.18.49 to mitigate these vulnerabilities. The updates are crucial for maintaining the security and integrity of systems relying on these services. Key Points: • Fedora 43 updates address three critical CVEs affecting bind and bind-dyndb-ldap. • CVE-2026-3592 limits resolver server list size to enhance security. • Users are urged to update to version 9.18.49 to mitigate these vulnerabilities.
Detailed Analysis
**Impact** Users of Fedora 43 running the BIND DNS server are affected by multiple vulnerabilities that could lead to denial of service or unauthorized resource access. The issues impact DNS resolution services, potentially disrupting network operations for organizations relying on Fedora 43 in any sector or geography. No specific data breach or exfiltration details are provided. **Technical Details** The vulnerabilities addressed include CVE-2026-3592 (resolver server list size limitation), CVE-2026-3039 (GSS-API resource leak), and CVE-2026-5946 (recursion, UPDATE, and NOTIFY disabled for non-IN views). These issues relate to DNS server configuration and resource management, affecting the BIND 9.18.49 update. No information on active exploitation, malware, or IOCs is provided. **Recommended Response** Apply the BIND update to version 9.18.49 on Fedora 43 systems immediately to mitigate the identified CVEs. Harden DNS server configurations by disabling recursion, UPDATE, and NOTIFY for non-IN views as per the patch. Monitor DNS server logs for unusual activity related to recursion or update requests. No additional detection or blocking indicators are available from the sources.
Source articles (2)
- Fedora 43 bind-dyndb-ldap 2026 — Linuxsecurity · 2026-05-26
Update to 9.18.49 (rhbz#2480121) Security Fixes: Limit resolver server list size. (CVE-2026-3592) Fix GSS-API resource leak. (CVE-2026-3039) Disable recursion, UPDATE, and NOTIFY for non-IN views. (CV… - Fedora 43 bind 2026 — Linuxsecurity · 2026-05-26
Update to 9.18.49 (rhbz#2480121) Security Fixes: Limit resolver server list size. (CVE-2026-3592) Fix GSS-API resource leak. (CVE-2026-3039) Disable recursion, UPDATE, and NOTIFY for non-IN views. (CV…
Timeline
- 2026-05-20 — CVE-2026-3039 published: CVE-2026-3039 addresses a GSS-API resource leak in bind and bind-dyndb-ldap.
- 2026-05-20 — CVE-2026-3592 published: CVE-2026-3592 limits the resolver server list size to prevent potential exploitation.
- 2026-05-20 — CVE-2026-5946 published: CVE-2026-5946 disables recursion, UPDATE, and NOTIFY for non-IN views to enhance security.
- 2026-05-26 — Fedora 43 updates released: Fedora released updates for bind and bind-dyndb-ldap to address critical vulnerabilities.