The specific flaw exists within the handling of TKEY queries. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the "bind" user.
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1963991]
The issue was in the internal implementation of SPNEGO in spnego.c. Function der_match_tag_and_length() reads a length from the user-provided data without validating it. The length is then used in other functions, potentially allowing to read beyond the bounds of a buffer. This problem was fixed upstream by completely removing the internal SPNEGO implementation.
It seems SPNEGO internal implementation was first introduced with: https://github.com/isc-projects/bind9/commit/289ae548d52bc8f982d9823af64cafda7bd92232 It was then removed in: https://github.com/isc-projects/bind9/commit/978c7b2e89aa37a7ddfe2f6b6ba12ce73dd04528