GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.
SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.
The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.
In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.
Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.
The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible.
Well, there was a regression which caused a crash when handling certain requests that is already patched: https://gitlab.isc.org/isc-projects/bind9/-/issues/2503
Note that ISC are not treating this issue as a security issue, because "this is a newly introduced option and disabled by default":
(In reply to John Helmert III (ajak) from comment #1)
> Well, there was a regression which caused a crash when handling certain
> requests that is already patched:
> Note that ISC are not treating this issue as a security issue, because "this
> is a newly introduced option and disabled by default":
And another, workaround included (and probably patches somewhere): https://lists.isc.org/pipermail/bind-announce/2021-February/001180.html